Back

Exploitation of WinRAR Flaw CVE-2025-8088 Targets Ukraine Amid Ongoing Cyber Campaigns

Severity: High (Score: 75.0)

Sources: cloud.google.com, www.welivesecurity.com, Trendmicro

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: winrar, flaw, unmanaged, software, keeps, cve-2025-8088, sandworm

Severity indicators: flaw, sandworm, turla, worm, CVE:CVE-2025-8088

Summary

Two Russia-aligned cyber campaigns are actively exploiting the WinRAR vulnerability CVE-2025-8088 against Ukrainian organizations, nearly a year after its patch. The flaw, a path traversal vulnerability allowing silent file writes, was first reported in July 2025 and has been leveraged by groups including SHADOW-EARTH-066 and Earth Dahu. Victims receive malicious RAR archives via email, which, when opened, display decoy documents while executing hidden payloads. The attacks primarily target military, government, and technology sectors in Ukraine. Despite the patch released in July 2025, the ongoing exploitation highlights a significant gap in software management and user awareness. Both campaigns utilize different tools but share the same entry point, emphasizing the need for organizations to maintain updated software. The threat landscape continues to evolve as state-sponsored and financially motivated actors exploit this vulnerability. Key Points: • CVE-2025-8088 is being exploited by multiple Russia-aligned threat groups against Ukraine. • The vulnerability allows attackers to execute payloads silently via malicious RAR archives. • Organizations are urged to keep software updated to mitigate risks from known vulnerabilities.

Detailed Analysis

**Impact** Ukrainian military, government, law enforcement, and local self-government bodies near the eastern border are targeted by multiple Russia-aligned threat groups exploiting CVE-2025-8088. The campaigns have been active since at least February 2025, affecting military innovation centers and administrative sectors. The attacks risk credential theft, espionage, and operational disruption through persistent malware execution. No specific victim counts were provided. **Technical Details** Attackers deliver malicious RAR archives exploiting the WinRAR path traversal vulnerability CVE-2025-8088 (CVSS 8.4), patched in version 7.13 (July 2025). The exploit abuses NTFS Alternate Data Streams (ADS) to write payloads, such as GIFTEDCROOK stealer and HTA-based espionage tools, into the Windows Startup folder for persistence. Notable actors include SHADOW-EARTH-066 (UAC-0226), Earth Dahu (Gamaredon), Sandworm, Turla, APT44 (FROZENBARENTS), and TEMP.Armageddon (CARPATHIAN). The attack chain involves spear phishing emails with RAR attachments containing decoy PDFs and hidden malicious files. IOCs include malicious LNK and HTA files dropped in Startup directories. **Recommended Response** Apply WinRAR security update 7.13 or later immediately to remediate CVE-2025-8088. Deploy detections for suspicious RAR archives containing ADS entries and monitor for unexpected files in Windows Startup folders. Use email filtering solutions like Google Safe Browsing and Gmail to block malicious attachments. Continuously monitor for indicators of compromise related to known threat groups exploiting this vulnerability.

Source articles (3)

  • Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open — Trendmicro · 2026-06-08
    Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exp…
  • Void Rabisu — www.welivesecurity.com · 2026-06-08
    ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught e…
  • Sandworm and Turla — cloud.google.com · 2026-06-08
    The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish…

Timeline

  • 2019-02-05 — CVE-2018-20250 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2023-08-23 — CVE-2023-38831 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-06-21 — CVE-2025-6218 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-07-18 — Exploitation of CVE-2025-8088 begins: Active exploitation of the WinRAR flaw CVE-2025-8088 was reported, targeting various organizations.
  • 2025-07-30 — WinRAR patch released: RARLAB released WinRAR version 7.13 to address CVE-2025-8088, the path traversal vulnerability.
  • 2025-12-09 — CISA adds CVE-2025-8088 to KEV: CISA included CVE-2025-8088 in its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-06-08 — Ongoing attacks reported: Trend Micro reports continued exploitation of CVE-2025-8088 by Russian-aligned groups against Ukraine.

CVEs

  • CVE-2018-20250
  • CVE-2023-36884
  • CVE-2023-38831
  • CVE-2025-6218
  • CVE-2025-8088

Related entities

  • Apt28 (Apt Group)
  • Apt29 (Apt Group)
  • Apt44 (Apt Group)
  • Carpathian (Apt Group)
  • Frozenbarents (Apt Group)
  • Gamaredon (Apt Group)
  • RomCom (Apt Group)
  • Sandworm (Apt Group)
  • Storm-0978 (Apt Group)
  • Summit (Apt Group)
  • TEMP.Armageddon (Apt Group)
  • Tropical Scorpius (Apt Group)
  • Turla (Apt Group)
  • Unc2596 (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Earth Dahu (Campaign)
  • Shadow-earth-066 (Campaign)
  • Unc4895 (Campaign)
  • Dnipropetrovsk Regional Administrative Court (Company)
  • Canada (Country)
  • China (Country)
  • Germany (Country)
  • Indonesia (Country)
  • Russia (Country)
  • Ukraine (Country)
  • CWE-22 - Path Traversal (Cwe)
  • apbxhelper.exe.it (Domain)
  • astrocaf.com (Domain)
  • campanole.com (Domain)
  • dd.mm (Domain)
  • joymobile.com.ua (Domain)
  • mail.c1.com.ua (Domain)
  • melamorri.com (Domain)
  • npmproxy.dll.as (Domain)
  • reg.ru (Domain)
  • srlaptop.com (Domain)
  • ssu.gov.ua (Domain)
  • [email protected] (Email)
  • [email protected] (Email)
  • Defense (Industry)
  • Financial (Industry)
  • Government (Industry)
  • Hospitality (Industry)
  • Logistics (Industry)
  • Manufacturing (Industry)
  • Technology (Industry)
  • 162.19.175.44 (Ipv4)
  • 185.173.235.134 (Ipv4)
  • 194.36.209.127 (Ipv4)
  • 194.58.66.82 (Ipv4)
  • 85.158.108.62 (Ipv4)
  • AsyncRAT (Malware)
  • Giftedcrook (Malware)
  • MeltingClaw (Malware)
  • Mythic (Malware)
  • Poisonivy (Malware)
  • RustyClaw (Malware)
  • SnipBot (Malware)
  • Stockstay (Malware)
  • XWorm (Malware)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Chrome (Tool)
  • WinRar (Tool)
  • PowerShell (Tool)
  • PuTTY CAC (Tool)
  • Edge (Platform)
  • Firefox (Platform)
  • Microsoft Edge (Platform)
  • Microsoft Office (Platform)
  • Opera (Platform)
  • Telegram (Platform)
  • Thunderbird (Platform)
  • Tor Browser (Platform)
  • Windows (Platform)
  • 01D32FE88ECDEA2B934A00805E138034BF85BF83 (Sha1)
  • 272c86c6db95f1ef8b83f672b65e64df16494cae261e1aba1aeb1e59dcb68524 (Sha256)
  • 3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed