[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpkjf4jahvbgXlUcodckwQVAAXeXM9_mgVdM3oQHFIkI":3},{"article":4,"iocs":59},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"09365c26-8069-4362-baba-2dee0afb7197","WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine","winrar-flaw-exploited-by-russia-aligned-groups-to-deploy-stealers-in-ukraine-0359f2","Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an","Two Russia-affiliated threat groups—Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226)—are actively exploiting CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, to target Ukrainian organizations nearly a year later. The groups deploy information stealers (GIFTEDCROOK and GammaSteel) via crafted RAR archives with hidden NTFS Alternate Data Streams, using LNK files in Startup folders for persistence. The shift from Telegram to dedicated C2 servers suggests adaptation to Russia's blocking of the messaging platform.","Russia-aligned groups exploit unpatched WinRAR flaw CVE-2025-8088 to deploy stealers in Ukraine.","WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine Ravie LakshmananJun 09, 2026Vulnerability \u002F Cyber Espionage Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS). It was patched by WinRAR in July 2025. The findings show \"how unmanaged software keeps an exploited entry point open long after the fix ships,\" Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said in an analysis published Monday. The WinRAR exploit chain exploited by SHADOW-EARTH-066 is a departure from Excel macro droppers previously used by the threat actor to deliver an information stealer called GIFTEDCROOK. The latest iteration makes use of crafted RAR archives featuring a decoy PDF document and three hidden ADS payloads that are outside the extraction directory to initiate the infection. This includes a Windows Shortcut (LNK) file that's placed in the Startup folder so that it's automatically executed every time a user logs in. This, in turn, spawns a PowerShell loader via \"cmd.exe,\" which then uses in-memory DLL loading to ultimately launch an updated version of GIFTEDCROOK (\"result.dll\"). The malware targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, and Opera) and Mozilla Firefox, in addition to harvesting documents matching certain extensions from the victim's machine. Once the data is exfiltrated to an external server, all malicious artifacts are deleted to cover up the forensic trail. A notable change is the shift from Telegram as an exfiltration channel to dedicated command-and-control (C2) servers, a key modification that likely aligns with Russia's blocking of the messaging platform in the country earlier this February. The second Russia-affiliated hacking group to weaponize CVE-2025-8088 is Earth Dahu, which has incorporated the flaw into its arsenal since at least September 2025. The adversary is known for its \"industrial-scale effort\" to maintain long-term access to compromised organizations. \"Earth Dahu used the vulnerability with an HTA-to-VBScript infection chain that delivered espionage modules,\" Trend Micro noted. \"Based on RAR internal file timestamps and file naming conventions, the chain remained active through at least April 10, 2026.\" These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad. The intermediate downloader subsequently delivers additional modules like GammaSteel. GammaLoad is \"a collection of VBScripts designed to ensure continuous access and deploy payloads over time by leveraging Dead Drop Resolvers (DDR),\" Sekoia said, adding it's used to deploy a dropper that's designed to launch a VBScript loader responsible for executing GammaSteel, a comprehensive information stealer that can monitor changes to files in real-time. \"WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation,\" Trend Micro said. \"The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability reflects the scale of the cyber threats that Ukraine faces.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cyber espionage, cybersecurity, Information Stealer, Malware, Russia, Ukraine, Vulnerability, WinRAR ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fwinrar-flaw-exploited-by-russia-aligned.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhpdAzGyUad4rioCXpoCvPwiGqto_MgCesTBLTn-1uBtWpWAXB99KN0xiE1oIqwDbVi_vkFDnn05XOxwH3WYjLkPNDykxieuftfe-wLFibGL1o8iiUuGfhiG5yYS7KXBV3gvdIYk5PFCurpn0-L77hajka35iE_a-JxWCaYeKc2Yej1gQrkcrQ61ijTm4HS\u002Fs1600\u002Fwinrar-exploit.jpg","2026-06-09T12:26:10+00:00","2026-06-09T14:00:29.444088+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"Earth Dahu","threat_actor",{"name":22,"type":20},"Gamaredon",{"name":24,"type":20},"SHADOW-EARTH-066",{"name":26,"type":20},"UAC-0226",{"name":28,"type":29},"WinRAR","product",{"name":31,"type":32},"Trend Micro","vendor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39,44,49,54],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":55},{"id":56,"icon":35,"name":57,"slug":58},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[60,64,67,70,73],{"type":61,"value":62,"context":63},"cve","CVE-2025-8088","WinRAR path traversal flaw allowing file write outside extraction directory via NTFS ADS; patched July 2025",{"type":53,"value":65,"context":66},"GIFTEDCROOK","Information stealer targeting passwords and cookies from Chromium browsers and Firefox; deployed by SHADOW-EARTH-066",{"type":53,"value":68,"context":69},"GammaPhish","HTML Application (HTA) deployed by Earth Dahu via WinRAR exploit chain",{"type":53,"value":71,"context":72},"GammaLoad","VBScript downloader using Dead Drop Resolvers (DDR) to deliver additional payloads",{"type":53,"value":74,"context":75},"GammaSteel","Comprehensive information stealer with real-time file monitoring capabilities"]