Persistent Exposure: Exploitation of Legacy WinRAR Installations Persists Across Institutional Perimeters
Although the official security deployment addressing a critical vulnerability within the WinRAR file archiver debuted in July 2025, outdated iterations of the utility continue to grant threat actors unhindered ingress into corporate infrastructures. This persistent threat matrix flourishes predominantly within decentralized environments. In these architectures, the utility resides pervasively across numerous endpoints without regular orchestration via enterprise patch-management systems such as Group Policy, WSUS, SCCM, or Microsoft Intune.
Dual Offensive Campaigns Exploiting CVE-2025-8088
Security researchers at Trend Micro recently documented two distinct cyber espionage campaigns targeting Ukrainian state and defense infrastructures. Both operations weaponize an identical software anomaly cataloged as CVE-2025-8088.
This severe path traversal defect carries an 8.4 CVSS severity metric. It allows a maliciously structured archive to execute arbitrary file writes outside the intended extraction sandbox.
The Illusion of Inocuity
Mechanically, the victim initializes a raw RAR archive, encountering an apparently benign PDF document—such as a military directive, judicial summons, or administrative notice. However, the decompression sequence silently drops weaponized payloads into sensitive operating system repositories without triggering visible user prompts.
Although WinRAR successfully remediated this defect in version 7.13, legacy deployments remain unpatched across numerous corporate workstations. This state presents a soft target for adversaries. They merely require the recipient to unpack the archive, knowing the secondary execution phase will trigger automatically upon the next Windows authentication sequence.
The Evolution of SHADOW-EARTH-066 (UAC-0226)
Trend Micro attributes the primary intrusion cluster to the advanced persistent threat group SHADOW-EARTH-066, tracked by CERT-UA as UAC-0226. This adversary systematically targets Ukrainian military innovation centers, tactical field units, law enforcement bodies, and regional administrations situated near the eastern border.
From Basic Macros to In-Memory Execution
Historically, SHADOW-EARTH-066 favored phishing dispatches embedded with macro-enabled Excel spreadsheets. The social engineering lures mirrored critical national themes: humanitarian demining operations, administrative penalties, drone manufacturing logistics, and property asset compensations. These documents dropped remote access trojans and credential harvesters, including a bespoke module designated as GIFTEDCROOK.
By early 2026, the group sophisticated its execution pipeline. The threat actors abandoned basic Excel macros in favor of weaponized archives exploiting CVE-2025-8088. Concurrently, they replaced simplistic Telegram-based exfiltration routines with advanced in-memory DLL injections and dedicated command-and-control (C2) servers.
- Broad Exfiltration Mandate
The updated GIFTEDCROOK variant harvests administrative passwords, active session cookies, and sensitive documents. The binary directly targets credential databases belonging to Chrome, Edge, Opera, and Firefox.
- Target File Arrays
The malware sweeps localized document repositories, download directories, and transient cache folders. The exfiltration matrix encompasses 35 distinct extensions, including Microsoft Office formats, PDF files, archival directories, EML records, KeePass databases, OpenVPN configurations, and plaintext files.
- Forensic Anti-Analysis
Following data exfiltration, the malicious agent purges its intermediate files and execution shortcuts. This defensive strategy complicates incident response; physical disk footprints vanish immediately upon successful C2 transmission. Consequently, forensic analysts must pivot to network telemetry, PowerShell execution logs, and volatile Windows system artifacts.
The Script-Driven Strategy of Earth Dahu (Gamaredon)
The secondary offensive campaign is managed by the prolific threat group Earth Dahu, colloquially recognized as Gamaredon. This collective possesses a long history of aggressive campaigns against Ukrainian state organs, typically relying on highly customized script-driven execution chains. In this updated sequence, Earth Dahu similarly leverages CVE-2025-8088. However, instead of deploying a compiled C++ credential harvester, the group drops HTA, VBS, or VBE scripts directly into the native Windows Startup repository.
Upon subsequent user authentication, the operating system executes the weaponized HTA file via the legitimate mshta.exe utility. The script then calls home to fetch secondary malicious components. It tunnels this traffic through decentralized Dynamic DNS architectures and Cloudflare Workers acting as reverse proxies to obscure the backend C2 infrastructure.
The phishing lures deployed by Earth Dahu frequently mimic official legal correspondence: subpoenas, judicial orders, and asset seizure decrees. Notably, multiple messages originated from compromised state-administered email infrastructure and free public mail services.
Within one specific cluster, investigators discovered four distinct accounts residing on a compromised regional Exchange server sharing an identical internal IP footprint. This state confirms a workstation compromise used to distribute phishing payloads across multiple corporate mailboxes.
Divergent Methodologies and Systemic Remediation
| Threat Vector Metrics | SHADOW-EARTH-066 (UAC-0226) | Earth Dahu (Gamaredon) |
| Core Delivery Vector | Compiled C++ Modules | Dynamic Script Frameworks |
| Execution Mechanics | In-Memory DLL Injections | HTA / VBS / VBE Scripts |
| Obfuscation Tactics | String Encryption | Cloudflare Workers Proxying |
| Infrastructure | Dedicated Independent Servers | Dynamic DNS Matrices |
While both clusters exploit an identical edge vulnerability, their post-exploitation toolsets remain entirely divergent. The two entities share no identifiable infrastructure, highlighting a parallel focus on a soft software ecosystem rather than a coordinated joint operation.
This operational reality extends far beyond the borders of Ukraine or the WinRAR platform itself. Multiple utility programs, file compression tools, and document viewers remain pervasively deployed across worldwide enterprises. These assets frequently escape rigorous corporate patch-management lifecycles, lingering in a vulnerable state for months or years.
Consequently, system administrators must audit WinRAR versions across all active endpoints immediately, enforcing modernization to the latest secure release. Organizations must simultaneously integrate third-party utilities into centralized patch cycles.
When conducting compromise assessments, defenders should scan for unvetted files within Startup directories, anomalous instances of mshta.exe, and hidden PowerShell windows. If an endpoint demonstrates active indicators of compromise, all web session tokens and browser-stored credentials must be treated as fully exposed.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
