Exploitation of WinRAR CVE-2025-8088 Threatens Ukrainian Organizations

Severity: High (Score: 78.0)

Sources: cloud.google.com, www.welivesecurity.com, Trendmicro

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: winrar, flaw, unmanaged, software, keeps, cve-2025-8088, sandworm

Severity indicators: flaw, sandworm, turla, worm, CVE:CVE-2025-8088

Summary

Two Russia-aligned cyber campaigns are exploiting the WinRAR vulnerability CVE-2025-8088 against Ukrainian targets nearly a year after it was patched. The flaw, a path traversal vulnerability, allows attackers to write files outside the extraction directory using NTFS Alternate Data Streams. Victims receive RAR archives containing decoy documents, which, when opened, execute malicious payloads without user interaction. The first campaign is attributed to SHADOW-EARTH-066, delivering the GIFTEDCROOK information stealer, while the second is linked to Earth Dahu (Gamaredon), deploying espionage tools. Both campaigns leverage the same entry point but utilize different tools and infrastructure. The ongoing exploitation highlights the risks of unmanaged software and the slow patching rates within organizations. Organizations are urged to update their WinRAR installations to mitigate this risk. Key Points: • CVE-2025-8088 is actively exploited by multiple Russia-aligned groups against Ukraine. • Attackers use decoy documents in RAR archives to deliver malicious payloads silently. • Organizations are advised to update WinRAR to the latest version to prevent exploitation.

Detailed Analysis

**Impact** Ukrainian organizations across military, government, law enforcement, and local self-government sectors are targeted by multiple Russia-aligned threat groups exploiting CVE-2025-8088. The campaigns have persisted since at least February 2025, affecting military innovation centers and administrative bodies near Ukraine's eastern border. The attacks risk credential theft, espionage, and persistent access, with targeted sectors including defense, manufacturing, finance, and logistics in Ukraine and parts of Europe and Canada. **Technical Details** The attack exploits a path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.4) via NTFS Alternate Data Streams (ADS), allowing silent file writes outside the extraction directory, commonly to the Windows Startup folder for persistence. Delivery is primarily through spearphishing emails containing malicious RAR archives with decoy PDFs and hidden payloads such as DLLs, LNKs, or HTA files. Notable threat actors include SHADOW-EARTH-066 (UAC-0226), Earth Dahu (Gamaredon), RomCom (Void Rabisu), Sandworm, and Turla. Payloads include the GIFTEDCROOK stealer and espionage tools, with execution triggered at user login. Exploitation began July 2025 and continues despite patch availability. **Recommended Response** Apply WinRAR version 7.13 or later immediately to mitigate CVE-2025-8088. Deploy detections for suspicious RAR archives containing ADS entries and monitor for files dropped into Windows Startup folders, especially LNK and HTA files. Harden email gateways to block spearphishing attempts and use tools like Google Safe Browsing and Gmail for additional filtering. Continuously monitor for indicators of compromise related to known threat actor infrastructure and payload hashes where available.

Source articles (4)

Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open — Trendmicro · 2026-06-08
Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exp…
Sandworm and Turla — cloud.google.com · 2026-06-08
The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish…
Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open — Trendmicro · 2026-06-08
Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exp…
Void Rabisu — www.welivesecurity.com · 2026-06-08
ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught e…

Timeline

2019-02-05 — CVE-2018-20250 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
2023-07-11 — CVE-2023-36884 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
2023-08-23 — CVE-2023-38831 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
2025-07-18 — Exploitation of CVE-2025-8088 observed: Malicious DLLs were found in RAR archives, indicating exploitation by RomCom and others.
2025-07-30 — WinRAR version 7.13 released: The vulnerability CVE-2025-8088 was patched in this version, addressing the path traversal flaw.
2025-08-08 — CVE-2025-8088 published: The vulnerability was officially disclosed and documented, marking its existence in security databases.
2025-12-09 — CISA adds CVE-2025-6218 to KEV: CISA recognized the active exploitation of CVE-2025-6218, related to earlier WinRAR vulnerabilities.
2026-06-08 — Ongoing exploitation reported: Two separate campaigns continue to exploit CVE-2025-8088 against Ukrainian organizations, nearly a year post-patch.

CVEs

Related entities

Apt28 (Apt Group)
Apt29 (Apt Group)
Apt44 (Apt Group)
Carpathian (Apt Group)
Frozenbarents (Apt Group)
Gamaredon (Apt Group)
RomCom (Apt Group)
Sandworm (Apt Group)
Storm-0978 (Apt Group)
Summit (Apt Group)
TEMP.Armageddon (Apt Group)
Tropical Scorpius (Apt Group)
Turla (Apt Group)
Unc2596 (Apt Group)
Data Breach (Attack Type)
Malware (Attack Type)
Phishing (Attack Type)
Zero-day Exploit (Attack Type)
Earth Dahu (Campaign)
Shadow-earth-066 (Campaign)
Unc4895 (Campaign)
Dnipropetrovsk Regional Administrative Court (Company)
Canada (Country)
China (Country)
France (Country)
Germany (Country)
Indonesia (Country)
Malaysia (Country)
Netherlands (Country)
Russia (Country)
Switzerland (Country)
Ukraine (Country)
CWE-22 - Path Traversal (Cwe)
CWE-798 - Use of Hard-coded Credentials (Cwe)
apbxhelper.exe.it (Domain)
astrocaf.com (Domain)
campanole.com (Domain)
dd.mm (Domain)
joymobile.com.ua (Domain)
mail.c1.com.ua (Domain)
melamorri.com (Domain)
npmproxy.dll.as (Domain)
reg.ru (Domain)
srlaptop.com (Domain)
ssu.gov.ua (Domain)
[email protected] (Email)
[email protected] (Email)
Defense (Industry)
Financial (Industry)
Government (Industry)
Hospitality (Industry)
Logistics (Industry)
Manufacturing (Industry)
Technology (Industry)
162.19.175.44 (Ipv4)
185.173.235.134 (Ipv4)
194.36.209.127 (Ipv4)
194.58.66.82 (Ipv4)
85.158.108.62 (Ipv4)
AsyncRAT (Malware)
Giftedcrook (Malware)
MeltingClaw (Malware)
Mythic (Malware)
Poisonivy (Malware)
RustyClaw (Malware)
SnipBot (Malware)
Stockstay (Malware)
XWorm (Malware)
T1055 - Process Injection (Mitre Attack)
T1059.001 - PowerShell (Mitre Attack)
T1059.003 - Windows Command Shell (Mitre Attack)
T1071 - Application Layer Protocol (Mitre Attack)
T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
T1555.003 - Credentials From Web Browsers (Mitre Attack)
T1566.001 - Spearphishing Attachment (Mitre Attack)
T1566 - Phishing (Mitre Attack)
T1574 - Hijack Execution Flow (Mitre Attack)
Chrome (Tool)
WinRar (Tool)
Libcurl (Tool)
PowerShell (Tool)
PuTTY CAC (Tool)
Edge (Platform)
Firefox (Platform)
Microsoft Edge (Platform)
Microsoft Office (Platform)
Opera (Platform)
Telegram (Platform)
Thunderbird (Platform)
Tor Browser (Platform)
Windows (Platform)
01D32FE88ECDEA2B934A00805E138034BF85BF83 (Sha1)
272c86c6db95f1ef8b83f672b65e64df16494cae261e1aba1aeb1e59dcb68524 (Sha256)
3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25 (Sha256)