WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation Wave
Summary
Hide ▲
Show ▼
CVE-2025-8088 in WinRAR remains an ongoing exploitation wave. Trend Micro says Russia-aligned groups Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226) are using the flaw against Ukrainian organisations with RAR archives, hidden ADS payloads, and a Startup-folder LNK to deploy GIFTEDCROOK and related stealers. The activity has continued almost a year after July 2025 patches, and the latest reporting shows the abuse has shifted from Telegram to dedicated C2 servers.
Related Happenings
Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
Campaign
H score57
First: 09.06.2026 15:26
Last: 09.06.2026 15:26
Sources 1
How related:
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
About this happening:
The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year af...
Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
CampaignHow related: Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
About this happening: The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year af...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
How related:
These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad.
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityHow related: These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad.
About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
H score56
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
CampaignAbout this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
H score37
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Storm-1175 high-velocity exploit campaign
Campaign
H score59
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Timeline
-
27.01.2026 21:38 2 articles · 5mo ago
WinRAR CVE-2025-8088 exploitation begins
Exploitation ObservedGoogle Threat Intelligence Group says exploitation of CVE-2025-8088 in WinRAR started as early as July 18, 2025, with attackers using Alternate Data Streams and directory traversal to write malicious files to arbitrary locations and gain initial access.
Show sources
- WinRAR path traversal flaw still exploited by numerous hackers — www.bleepingcomputer.com — 27.01.2026 21:38
- WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine — thehackernews.com — 09.06.2026 15:26
-
27.01.2026 21:38 3 articles · 5mo ago
Google broadens the WinRAR exploitation picture
Campaign Scope UpdateOn January 27, 2026, Google Threat Intelligence Group reported that CVE-2025-8088 exploitation continued from both state-backed espionage actors and lower-tier, financially motivated cybercriminals, and it also noted that ESET had reported in early August 2025 that RomCom was exploiting the flaw in zero-day attacks.
Show sources
- WinRAR path traversal flaw still exploited by numerous hackers — www.bleepingcomputer.com — 27.01.2026 21:38
- WinRAR path traversal flaw still exploited by numerous hackers — www.bleepingcomputer.com — 27.01.2026 21:38
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09