CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, remains a potent initial access vector for multiple intrusion sets targeting Ukraine.
Analysis of attacks through April 2026 shows at least two distinct campaigns exploiting this vulnerability: a compiled-stealer chain attributed to an intrusion set we temporarily label SHADOW-EARTH-066 (tracked by CERT‑UA as UAC‑0226) and an HTA-based espionage chain used by the Russia-aligned Earth Dahu (Gamaredon).
Both continue producing fresh exploit samples, and Earth Dahu remains active at the time of writing.
The vulnerability leverages NTFS Alternate Data Streams (ADS) in RAR5 SERVICE headers to embed path traversal sequences that WinRAR prior to version 7.13 did not sanitize.
A crafted archive presents a benign-looking decoy PDF to the user while silently writing payloads to locations outside the extraction folder commonly the Windows Startup folder or C:ProgramData so that execution occurs on next login without additional user interaction.
The exploit’s stealth and the widespread use of WinRAR vulnerability across Ukrainian organizations make this an attractive, low-friction vector for espionage and credential theft.
SHADOW-EARTH-066’s campaign demonstrates rapid operational maturation. Early activity used macro-enabled Excel droppers and plaintext Telegram exfiltration.
According to TrendAI, By 2026 the actor had transitioned to CVE-2025-8088 delivery, an LNK-to-PowerShell loader, and an in-memory DLL (result.dll) that performs rapid credential and document theft before self-deleting.
WinRAR Vulnerability Exploited
The RAR archives drop three ADS payloads: a Startup LNK, a heavily obfuscated PowerShell loader in C:ProgramData, and an encoded DLL.
The loader decodes the DLL and performs in-memory loading via direct NT syscalls (NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx) to evade user-mode API hooks and file-based detection.
Result.dll is a matured evolution of the earlier GIFTEDCROOK stealer. Compiled for x86-64 and statically linking libcurl, it targets Chromium-based browsers (including an App-Bound Encryption bypass for newer Chrome versions), Firefox, and filesystem documents matching 35 extensions.
Anti-analysis measures include PEB-walk API resolution with FNV-1a hashing, dual-layer RC4-encrypted string tables, identity-function padding, and PRNG-based delays.
Exfiltration uses dual-layer RC4 then HTTPS POST to dedicated C&C servers; after transmission the malware removes its staging artifacts, leaving limited forensic traces.
The From header spoofed a Ukrainian law enforcement agency; DMARC validation failed and no DKIM signature was present.
Earth Dahu’s usage of CVE-2025-8088 follows a different, script-centric model. RAR archives drop a single HTA or an obfuscated VBS/VBE downloader to Startup, which mshta.exe executes on login.
The HTA chains load VBScript from attacker-controlled resources often proxied via Dynamic DNS and Cloudflare Workers and retrieve espionage modules including loaders for GammaSteel and other tools documented by third-party responders.
Earth Dahu frequently spoofs trusted Ukrainian domains via HTTP basic-auth @-notation in C&C URLs and distributes lures that impersonate court summons and government correspondence.
Some chains include an extra Startup..Startup path variation, likely to evade detection rules.
Despite being patched in July 2025, CVE-2025-8088 persists in the wild because WinRAR lacks enterprise update mechanisms: no Group Policy support, no WSUS/SCCM/Intune integration, and no auto-update in many deployments.
That creates a persistent blind spot; widely installed utility apps that are infrequently updated continue to accumulate exploitable vulnerabilities.
Other Russia-aligned groups, including Sandworm, Turla, and Void Rabisu, have also been observed exploiting the same vulnerability, underscoring its operational value.
Mitigation priorities are straightforward: verify WinRAR versions and update to 7.13 or later, where the ADS path traversal is patched; block common exploitation patterns at mail gateways (RAR attachments with decoys), enforce application allowlisting, and deploy endpoint detection capable of spotting in-memory loading via NT syscall sequences.
Organizations should also inventory third-party utilities and adopt centralized patch or compensating controls to close the class of persistent blind spots that CVE-2025-8088 continues to expose.
Indicators of Compromise
| Tactic | Technique | ID | Campaign |
| Initial Access | Spearphishing Attachment | T1566.001 | Earth Dahu |
| Execution | User Execution: Malicious File | T1204.002 | Both |
| Execution | PowerShell | T1059.001 | SHADOW-EARTH-066 |
| Persistence | Startup Folder | T1547.001 | Earth Dahu |
| Defense Evasion | NTFS File Attributes | T1564.004 | Both |
| Defense Evasion | Obfuscated Files or Information | T1027 | SHADOW-EARTH-066 |
| Defense Evasion | Reflective Code Loading | T1620 | SHADOW-EARTH-066 |
| Defense Evasion | Masquerading | T1036 | Both |
| Defense Evasion | Sandbox Evasion | T1497 | SHADOW-EARTH-066 |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | SHADOW-EARTH-066 |
| Credential Access | Web Browser Credentials | T1555.003 | SHADOW-EARTH-066 |
| Credential Access | Steal Web Session Cookie | T1539 | SHADOW-EARTH-066 |
| Collection | Data from Local System | T1005 | SHADOW-EARTH-066 |
| Exfiltration | Exfiltration Over C&C Channel | T1041 | SHADOW-EARTH-066 |
| C&C | Web Protocols | T1071.001 | Both |
| C&C | Encrypted Channel | T1573.001 | SHADOW-EARTH-066 |
| Impact | Data Destruction | T1485 | Earth Dahu (reported by ClearSky) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
