WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
Summary
Hide ▲
Show ▼
The CVE-2025-8088 WinRAR path traversal flaw is being actively exploited through Alternate Data Streams (ADS) to write malicious files outside the extraction directory and place payloads for persistence and execution. Trend Micro says Russia-aligned groups Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226) are using the flaw against Ukrainian organisations, with one chain dropping a Startup-folder LNK and a PowerShell/Cmd.exe loader that deploys GIFTEDCROOK. The activity has been linked to both crafted RAR archives and a shift from Telegram to dedicated C2 servers for exfiltration. The vulnerability was patched in July 2025, but exploitation continued into 2026.
Related Happenings
Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
Campaign
H score57
First: 09.06.2026 15:26
Last: 09.06.2026 15:26
Sources 1
How related:
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
About this happening:
The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year af...
Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
CampaignHow related: Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
About this happening: The **Earth Dahu** and **SHADOW-EARTH-066** campaigns are still exploiting **CVE-2025-8088** in **WinRAR** against **Ukrainian organisations**, extending exposure nearly a year af...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
How related:
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation.
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityHow related: The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation.
About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
H score56
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
CampaignAbout this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityAbout this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
H score37
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Timeline
-
27.01.2026 21:38 5 articles · 5mo ago
CVE-2025-8088 exploitation begins in WinRAR
Exploitation ObservedThreat actors begin exploiting CVE-2025-8088 in WinRAR for initial access, using Alternate Data Streams (ADS) and directory traversal to write malicious files to arbitrary locations and set up payload delivery.
Show sources
- WinRAR path traversal flaw still exploited by numerous hackers — www.bleepingcomputer.com — 27.01.2026 21:38
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
- Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — thehackernews.com — 02.06.2026 21:21
- WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine — thehackernews.com — 09.06.2026 15:26
-
27.01.2026 21:38 2 articles · 5mo ago
GTIG reports ongoing WinRAR exploitation and actor set
Initial DisclosureGoogle Threat Intelligence Group (GTIG) reports ongoing exploitation of CVE-2025-8088 in WinRAR by state-sponsored and financially motivated actors, including UNC4895 (RomCom/CIGAR), APT44 (FROZENBARENTS), TEMP.Armageddon (CARPATHIAN), Turla (SUMMIT), and China-linked actors, while also noting commodity activity such as XWorm, AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser; GTIG also cites ESET's early August 2025 discovery of RomCom zero-day activity and says working exploits were being sold by suppliers such as "zeroplayer".
Show sources
- WinRAR path traversal flaw still exploited by numerous hackers — www.bleepingcomputer.com — 27.01.2026 21:38
- WinRAR path traversal flaw still exploited by numerous hackers — www.bleepingcomputer.com — 27.01.2026 21:38