Weaponization of WinRAR Vulnerability Empowers Cybercriminals
In a sophisticated campaign to exploit vulnerabilities, hackers have adeptly weaponized a notable path-traversal flaw within WinRAR, designated as CVE-2025-8088. This vulnerability enables cyber adversaries to discreetly craft a Windows Startup shortcut that unleashes a multi-stage PowerShell loader capable of executing advanced attacks. The loader is designed to map a headerless, reflectively loaded Portable Executable (PE) directly in memory, demonstrating a significant evolution in malicious operational tactics.
The current campaign utilizes the same Ukrainian reconnaissance-themed lure that was characteristic of previous UAC-0226/GIFTEDCROOK activities. However, this latest iteration marks a substantial leap in operational execution. Unlike earlier efforts that relied on users to unwittingly launch visible shortcuts, hackers have ingeniously exploited NTFS Alternate Data Streams (ADS) to bypass traditional security measures.
The attackers initiate their process by embedding a .lnk file directly into the current user’s Startup folder, all within the compressed RAR file. This method allows for the seamless delivery of two encoded stages into the C:\ProgramData directory. Consequently, when victims log in, they unwittingly trigger the shortcut, which launches a minimized Command Prompt (CMD) window. This CMD window subsequently spawns hidden PowerShell processes designed to execute a staged script located at C:\ProgramData\WC3, cleverly eliminating the need for a remote download during execution.
The PowerShell stage labeled as WC3 is intentionally designed to be noisy, featuring thousands of meaningless functions, random identifiers, and strings with Write-Host calls. However, amid this complexity lies a streamlined execution core. After a 60-second delay, the core decodes a sizable 1,131,008-byte blob (known as wt1) using a simple subtraction technique (subtracting 0x48 from each byte). It then allocates executable memory through native APIs, specifically utilizing NtAllocateVirtualMemory and NtProtectVirtualMemory functions. Following this, the decoded bytes are copied, and a thread is created at a specified offset of 0x173B0, ready to execute the main payload.
According to cybersecurity experts at Synaptics, while the PowerShell loader remains obscured under a layer of generated noise, the payload itself reveals intriguing characteristics. Embedded within it is an additively encoded, headerless PE image that functions with its own reflective mapper. This precision operation offers significant advantages over conventional malware deployment strategies, enabling operators to evade detection more effectively.
The decoded blob does not conform to a standard PE format on disk. Instead, it exists as a headerless image that contains a simplified custom header with metadata including the original ImageBase, size of the image, and entry relative virtual addresses (RVAs). This technique differs from earlier UAC-0226 variants and demonstrates advancements in both packaging and operational resilience. The silent planting of payloads into the Startup folder via ADS, alongside the use of a headerless PE with a custom reflective mapper, represents a notable evolution in the malware’s architecture, as it also incorporates telemetry and broader data collection capabilities.
As the reflective mapper processes in memory, it executes a series of operations including Process Environment Block (PEB) walking for API resolution, sections copying, import resolution, relocation management, and permission setting, ultimately invoking the DLL_PROCESS_ATTACH routine. This design cleverly minimizes static indicators, as the payload does not retain traditional MZ/PE headers nor is it tethered to standard DLL file writing protocols.
Further complicating detection efforts, the loader communicates operational telemetry by writing four 32-bit status values related to thread exit codes and mapper status fields. This telemetry is subsequently transmitted to a command-and-control server, providing the attackers with granular feedback on various operational markers, including initiation of the mapping process, relocation failures, and the eventual exit of the payload.
Inside the reflectively mapped module, strings are secured using a cipher similar to RC4, which operates on UTF-16 words. The majority of these strings are reconstructed statically, unveiling the presence of targeted collection modules. The malware’s functionality is honed in on the theft of credentials and cookies from popular browsers like Chromium-based ones (Chrome, Edge, Opera) utilizing CryptUnprotectData, in addition to gathering Firefox profiles.
Broadly, the malware collects an extensive array of documents and archives, including sensitive files from virtual private networks (VPNs) and keystores. This local staging occurs under user-profile paths in randomly named ZIP containers, likely designed to compile harvested data before its exfiltration.
While the malware integrates routines to facilitate self-deletion over time and references both ProgramData and Startup for persistence, its initial foothold is reinforced through the stealthy shortcut created via the ADS mechanism. The operators’ infrastructure continues to adapt; having switched hosting providers and altered the TLS certificates, they also modified callback ports to further obfuscate their activities and evade detection systems that rely on signature-based identification.
The emergence of such sophisticated cyberattack methodologies underscores the pressing need for heightened vigilance among users and institutions alike, as adversaries continue to refine their techniques and exploit vulnerabilities within widely used software.