Russia-Aligned Groups Exploit Old WinRAR Flaw in Ukraine Campaigns

Russia-aligned cyberattack campaigns are actively exploiting a security flaw in WinRAR to target Ukrainian organizations, nearly a year after patches for the vulnerability were released. The activity, tracked by Trend Micro, involves the exploitation of CVE-2025-8088, a path traversal vulnerability that enables attackers to place malicious files in startup folders.

Both Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226) are leveraging the flaw to conduct data theft and cyberespionage. The campaigns specifically focus on Ukrainian military and government entities, using the exploit to deploy stealers that exfiltrate sensitive information.

The technical mechanism exploits WinRAR's handling of archive paths, allowing attackers to escape the extraction directory and drop executables into the Windows startup folder. This achieves persistence without requiring user interaction beyond opening a malicious archive. Indicators of compromise include unusual file writes to the Startup folder and anomalous archive files containing path traversal sequences.

A security update addressing CVE-2025-8088 was released by WinRAR developers in July 2025. Organizations still running unpatched versions remain vulnerable. Trend Micro recommends ensuring WinRAR is updated to the latest version and implementing restrictions on archive file execution from untrusted sources.

While both groups operate in support of Russian interests, their tactics differ: Earth Dahu typically conducts disruptive campaigns, while SHADOW-EARTH-066 focuses on longer-term espionage. The continued exploitation of a year-old flaw underscores the persistent risk posed by unpatched software in targeted environments.