Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

Russian threat actor Gamaredon exploits WinRAR vulnerability CVE-2025-8088 to distribute GammaWorm and GammaSteel malware against Ukrainian targets. The path traversal flaw in WinRAR enables attackers to deliver an HTML Application payload called GammaPhish, which retrieves additional malicious payloads for data exfiltration and lateral movement.

Gamaredon, a Russia-linked cyber espionage group, has maintained persistent targeting of Ukraine since 2015. The group combines this WinRAR exploitation with spear-phishing campaigns to establish initial access. Once victims extract malicious RAR archives, the vulnerability allows code execution outside intended directories, bypassing standard security controls.

GammaWorm serves as an information stealer, collecting sensitive data from compromised systems. GammaSteel performs propagation and persistence functions, allowing the adversary to move laterally through networks and maintain long-term access. Sekoia's analysis shows Gamaredon customizes these malware families for specific Ukrainian organizations, targeting both government and private sector entities.

WinRAR versions prior to 7.10.1 remain vulnerable to CVE-2025-8088. The vulnerability has no user interaction requirements beyond extracting a specially crafted archive, making it effective in low-friction attack chains. Gamaredon typically embeds malicious payloads in legitimate-looking documents or compressed files distributed through email.

Ukrainian organizations should immediately update WinRAR to version 7.10.1 or later. Network defenders should monitor for suspicious WinRAR process execution, particularly instances launching HTML Application files or executable payloads. Email filtering should scrutinize archives from untrusted sources, and segmentation limits lateral movement if initial compromise occurs.

Gamaredon's continued exploitation of this vulnerability demonstrates how