Find notable cyber news and cases, enriched with sources, timelines, and signals.

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
First reported
Last updated
Happening score
H score 20
2 unique sources, 3 articles

Summary

Hide ▲

CVE-2025-8088 in WinRAR remains an ongoing exploitation wave. Trend Micro says Russia-aligned groups Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226) are using the flaw against Ukrainian organisations with RAR archives, hidden ADS payloads, and a Startup-folder LNK to deploy GIFTEDCROOK and related stealers. The activity has continued almost a year after July 2025 patches, and the latest reporting shows the abuse has shifted from Telegram to dedicated C2 servers.

Related Happenings

Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations

Campaign
H score57 First: 09.06.2026 15:26 Last: 09.06.2026 15:26 Sources 1

How related: Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.

About this happening: The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year af...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

How related: These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad.

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
H score56 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
H score37 First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Timeline

  1. 27.01.2026 21:38 2 articles · 5mo ago

    WinRAR CVE-2025-8088 exploitation begins

    Exploitation Observed

    Google Threat Intelligence Group says exploitation of CVE-2025-8088 in WinRAR started as early as July 18, 2025, with attackers using Alternate Data Streams and directory traversal to write malicious files to arbitrary locations and gain initial access.

    Show sources
  2. 27.01.2026 21:38 3 articles · 5mo ago

    Google broadens the WinRAR exploitation picture

    Campaign Scope Update

    On January 27, 2026, Google Threat Intelligence Group reported that CVE-2025-8088 exploitation continued from both state-backed espionage actors and lower-tier, financially motivated cybercriminals, and it also noted that ESET had reported in early August 2025 that RomCom was exploiting the flaw in zero-day attacks.

    Show sources