WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine

Russia-aligned threat actors Earth Dahu and SHADOW-EARTH-066 continue exploiting a WinRAR vulnerability to target Ukrainian organisations nearly one year after patches became available. The groups leverage CVE-2025-8088, a path traversal flaw in WinRAR that permits attackers to extract files outside intended directories during archive decompression.

Trend Micro identified the ongoing exploitation campaigns, which deliver information-stealing malware to victims in Ukraine. The vulnerability enables attackers to bypass security controls by manipulating file paths within compressed archives, allowing malicious payloads to execute in unintended system locations. This technique proves particularly effective against organisations that delay patching cycles or rely on outdated software versions.

Earth Dahu, also tracked as Gamaredon, focuses on espionage operations targeting Ukrainian government and military entities. SHADOW-EARTH-066 pursues similar objectives with slightly different operational tradecraft. Both groups demonstrate persistent interest in Ukrainian infrastructure, consistent with broader Russian cyber operations against the country.

The extended exploitation window reflects a critical patching gap. WinRAR users who have not applied available security updates face elevated risk of compromise. Attackers deliver stealer malware through weaponised archives that exploit the path traversal flaw during extraction. Once executed, these stealers harvest credentials, browser data, and sensitive files from infected systems.

Ukrainian organisations remain priority targets for Russia-aligned groups seeking intelligence on military capabilities, government operations, and critical infrastructure. The reuse of known vulnerabilities by determined adversaries underscores how patch management failures create persistent attack surfaces.

Organisations should prioritise WinRAR updates immediately. Administrators managing Ukrainian networks face heightened risk and should audit systems for successful CVE-2025-8088 exploitation. Network defenders should monitor for suspicious WinRAR decompression activities and unusual file execution patterns following archive