Find notable cyber news and cases, enriched with sources, timelines, and signals.

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
First reported
Last updated
Happening score
H score 21
2 unique sources, 5 articles

Summary

Hide ▲

The CVE-2025-8088 WinRAR path traversal flaw is being actively exploited through Alternate Data Streams (ADS) to write malicious files outside the extraction directory and place payloads for persistence and execution. Trend Micro says Russia-aligned groups Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226) are using the flaw against Ukrainian organisations, with one chain dropping a Startup-folder LNK and a PowerShell/Cmd.exe loader that deploys GIFTEDCROOK. The activity has been linked to both crafted RAR archives and a shift from Telegram to dedicated C2 servers for exfiltration. The vulnerability was patched in July 2025, but exploitation continued into 2026.

Related Happenings

Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations

Campaign
H score57 First: 09.06.2026 15:26 Last: 09.06.2026 15:26 Sources 1

How related: Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.

About this happening: The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year af...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

How related: The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation.

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
H score56 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
H score37 First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Timeline

  1. 27.01.2026 21:38 5 articles · 5mo ago

    CVE-2025-8088 exploitation begins in WinRAR

    Exploitation Observed

    Threat actors begin exploiting CVE-2025-8088 in WinRAR for initial access, using Alternate Data Streams (ADS) and directory traversal to write malicious files to arbitrary locations and set up payload delivery.

    Show sources
  2. 27.01.2026 21:38 2 articles · 5mo ago

    GTIG reports ongoing WinRAR exploitation and actor set

    Initial Disclosure

    Google Threat Intelligence Group (GTIG) reports ongoing exploitation of CVE-2025-8088 in WinRAR by state-sponsored and financially motivated actors, including UNC4895 (RomCom/CIGAR), APT44 (FROZENBARENTS), TEMP.Armageddon (CARPATHIAN), Turla (SUMMIT), and China-linked actors, while also noting commodity activity such as XWorm, AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser; GTIG also cites ESET's early August 2025 discovery of RomCom zero-day activity and says working exploits were being sold by suppliers such as "zeroplayer".

    Show sources