Two Russian APT groups are taking advantage of a WinRAR vulnerability that was fixed nearly a year ago to target Ukraine.

      **Summary**: Two Russian state-affiliated hacking groups are taking advantage of a WinRAR vulnerability fixed in July 2025 to steal credentials from Ukrainian entities. The fix is available, but organizations are slow to implement it.

      Research from Trend Micro reveals that two hacking groups linked to the FSB are exploiting a path traversal vulnerability in WinRAR that was patched nearly a year ago. They are using this flaw to deploy malware aimed at stealing credentials from Ukrainian governmental and military systems. The vulnerability, designated CVE-2025-8088 and rated 8.4 on the CVSS scale, allows attackers to utilize NTFS Alternate Data Streams to conceal their malicious payloads within seemingly innocuous archive files. While the patch was included in WinRAR version 7.13 released on July 30, 2025, active exploitation began at least 12 days before the patch, and the groups continue their attacks due to the slow uptake of updates within Ukrainian organizations.

      Gamaredon, a group associated with the FSB and tracked by Trend Micro as Earth Dahu, exploits this vulnerability as a means to initiate a multi-stage infection. The attack starts with a spear-phishing email containing a specially crafted RAR archive that takes advantage of CVE-2025-8088 to deliver an HTA file, which runs a VBScript loader named GammaPhish. This loader subsequently downloads GammaLoad, a backdoor that establishes persistence and retrieves GammaSteel, the group's primary tool for exfiltrating sensitive documents and screenshots from compromised systems.

      Another group, SHADOW-EARTH-066, which Ukraine’s CERT refers to as UAC-0226, has independently focused on the same WinRAR flaw but employs different malware. Previously relying on malicious Excel macros to distribute its payloads, it has shifted to exploit chains involving WinRAR after the vulnerability came to light, representing a tactical upgrade that circumvents Microsoft’s macro-blocking measures. Its malware, GIFTEDCROOK, collects information such as saved passwords and session cookies from browsers like Chrome, Edge, Opera, and Firefox, as well as documents on the infected systems.

      The alignment of two distinct Russian APT groups on a single vulnerability is significant, as Gamaredon and SHADOW-EARTH-066 utilize different tools and appear to have varying intelligence-gathering goals, yet both have pinpointed CVE-2025-8088 as an effective method to access Ukrainian targets. Researchers Hiroyuki Kakara and Feike Hacquebord from Trend Micro documented these campaigns in a joint report. Additionally, French threat intelligence firm Sekoia verified the Gamaredon operations and observed that the group's focus has remained on Ukrainian military, law enforcement, and governmental targets throughout their campaign.

      A noteworthy operational change accompanies these exploitation efforts. Traditionally, Gamaredon has utilized Telegram bots and channels to transmit stolen data to its operators, but since early 2026, it has begun moving exfiltration operations to specialized command-and-control servers. This shift coincides with Russia's decision to limit Telegram traffic starting February 10, 2026, which has been reported by CNN and Amnesty International and has adversely affected the platform’s reliability in Russia, making it a less viable option for covert data transfers.

      RomCom, a separate Russian-speaking APT group, was the earliest attacker to exploit CVE-2025-8088, doing so before the patch was released by WinRAR. The involvement of at least three distinct groups utilizing the same exploit highlights a significant concern: the time between when patches are made available and when organizations implement them gives attackers a protracted opportunity to exploit these vulnerabilities. Most enterprise configurations of WinRAR do not update automatically, and Ukrainian organizations under wartime conditions face extra challenges in maintaining software updates.

      These campaigns are reflective of a wider trend of Russian state-sponsored cyber operations targeting European and Ukrainian infrastructure, escalating since the onset of the full-scale invasion in 2022. The focus of GIFTEDCROOK on browser credentials poses a serious threat, as stolen saved passwords and session cookies can enable attackers to access email accounts, internal portals, and communication platforms without needing further authentication. Trend Micro emphasizes that the compromised browser data often facilitates lateral movement that extends beyond the initially affected device.

      For organizations still operating on WinRAR versions 7.12 or earlier, the solution is to upgrade to version 7.13 or later, available since July 2025. The ongoing exploitation despite the availability of the patch remains a fundamental issue. Administrators unable to implement updates immediately should handle incoming RAR files with heightened caution, similar to other archive formats that have been weaponized in recent network attacks, and should consider blocking NTFS Alternate Data Streams at the email gateway whenever feasible.