Almost a year after the file archiving tool WinRAR fixed a serious security hole, Russia-aligned hackers are still walking through it to break into Ukrainian organizations. Researchers at Trend Micro report that two separate intrusion campaigns are exploiting the same WinRAR flaw, CVE-2025-8088, to silently plant malware on the computers of Ukrainian military, law enforcement, and local government targets, even though a patch has been available since July 2025.
The finding, published by Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord, highlights a recurring problem: widely used desktop software like WinRAR is rarely covered by the centralized update systems companies rely on to keep Windows patched, so a fixed bug can stay exploitable on real machines for months or years.
How the attack works
CVE-2025-8088 is a path traversal flaw, which means a booby trapped archive can write files to places on disk it should never be allowed to touch. The victim receives a RAR file by email and opens it with an outdated copy of WinRAR. All they see is a decoy document, often a fake Ukrainian court summons accusing them of spreading false rumors to create a sense of urgency. In the background, WinRAR quietly drops hidden files into the Windows Startup folder by abusing a file system feature called Alternate Data Streams. The next time the user logs in, the planted code runs. No warning is ever shown.
Two groups, one entry point
The first campaign is run by a cluster Trend Micro calls SHADOW-EARTH-066, which Ukraine's CERT-UA tracks as UAC-0226. It delivers an upgraded version of an information stealer named GIFTEDCROOK that, in under a year, has graduated from crude Excel macros to a stealthy in memory loader. The new build harvests saved passwords and session cookies from Chrome, Edge, Opera, and Firefox, steals documents matching 35 file types (including KeePass password vaults and OpenVPN configuration files), sends the loot to dedicated servers over encrypted channels, and then deletes itself to leave little trace. It even includes a bypass for Chrome's App Bound Encryption, a protection Google specifically added to blunt password stealers.
The second campaign is attributed to Earth Dahu, better known as Gamaredon, one of the most prolific Russia-aligned groups targeting Ukraine since 2013. It uses the same WinRAR flaw to drop a malicious HTA script that pulls down espionage tools. The two groups rely on different malware and infrastructure but share the same way in. Trend Micro notes the WinRAR bug was first exploited as a zero-day in 2025 and has since been picked up by several Russia-aligned operators, including Sandworm and Turla.
What you should do
Update WinRAR to version 7.13 or later, which fixes the flaw. The tool does not update itself automatically, so this has to be done by hand on every machine. Treat unexpected RAR attachments with caution, and hunt for unfamiliar files in the Windows Startup folder and in C:\ProgramData. Selected indicators from the report include the malware sample with SHA256 3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25 and command and control servers at 166[.]0[.]132[.]237 and 38[.]225[.]209[.]229.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.