A vulnerability in WinRAR that was patched in July 2025 is still being actively exploited — and if your organisation has endpoints running an older version of the software, you are exposed right now. Trend Micro has confirmed that at least two Russia-aligned intrusion sets were producing fresh exploit samples as recently as April 2026, targeting Ukrainian military, law enforcement, and local government bodies with a capable information stealer called GiftedCrook. The mechanism is straightforward, the damage is severe, and the root cause is one that security teams across EMEA keep running into: unmanaged third-party software sitting on endpoints, unpatched, invisible to the tools that should be protecting it.
CVE-2025-8088 is a path traversal vulnerability in WinRAR. The mechanics of a path traversal flaw are well understood , an attacker crafts a malicious archive so that when a victim extracts it, files land outside the intended directory, potentially dropping executables into locations where they will run automatically or be launched by an unsuspecting user. In this case, the vulnerability was addressed by the WinRAR development team in July 2025, meaning a patched version has been available for the better part of a year. That has not stopped the exploitation. According to Trend Micro, new exploit samples tied to this specific CVE were still being produced in April 2026, nearly nine months after the patch dropped.
The persistence of this exploitation window is not a surprise to anyone who has spent time tracking how archiving software behaves in enterprise environments. WinRAR is not updated the way a browser or an operating system is. There is no automatic update mechanism pushing out fixes silently in the background. If a user installed WinRAR two years ago and has never touched it since, it will still be running whatever version was current at the time of installation , and it will open every archive the user throws at it without a single warning. Attackers know this. They rely on it. The gap between patch availability and actual patch adoption on endpoints is where campaigns like this one live.
The delivery method is deliberately mundane. As The Hacker News reported, victims receive a RAR archive, almost always through email. When opened with an unpatched version of WinRAR, what appears on screen looks like a PDF , a court summons, an administrative notice, or a document purportedly from the defence ministry. The visual presentation is entirely convincing. The recipient sees something that resembles official correspondence, reads it, and assumes nothing unusual has happened. Behind that distraction, the path traversal has already done its work.
The choice of lure documents is not accidental. Court summonses and administrative notices carry an implicit urgency , the recipient feels compelled to open and read them immediately. Defence ministry documents, targeted at military personnel, carry institutional authority. Both document types are chosen specifically to bypass the hesitation that security awareness training tries to instil. A user who would pause before opening a suspicious commercial email will often open something that looks like official correspondence without a second thought. That psychological calculation is as important to the attack chain as the technical exploit itself. Understanding how these indicators of compromise manifest at the delivery stage is critical to catching campaigns before they reach payload execution.
Trend Micro tracks one of the two active intrusion sets as SHADOW-EARTH-066. CERT-UA, Ukraine's national computer emergency response team, tracks the same group under the designation UAC-0226, a tracking identity they have maintained since 2025. This is not a new actor stumbling across a convenient vulnerability , UAC-0226 has been a persistent presence in Ukrainian cyberspace for long enough that it has acquired institutional tracking designations from multiple organisations. The group's signature payload in this campaign is GiftedCrook, an information stealer that SHADOW-EARTH-066 appears to have developed specifically for rapid, targeted credential and document theft.
What makes GiftedCrook worth examining in detail is not just what it steals , it is how the toolset has evolved. Rescana documented the technical trajectory of this threat actor's capabilities and found that within under a year, the group had moved from basic Excel macros with plaintext Telegram exfiltration to WinRAR exploit chains, in-memory DLL loading via direct NT system calls, and encrypted command-and-control infrastructure. That is a significant leap in operational sophistication. In-memory DLL loading leaves far less forensic evidence than writing files to disk. Direct NT system calls are used specifically to bypass security tooling that hooks higher-level Windows API functions. Encrypted C2 makes traffic analysis considerably harder. This is not opportunistic cybercrime. It is deliberate, resourced capability development.
The second intrusion set is Earth Dahu, which Trend Micro identifies as Gamaredon , one of the most extensively documented Russian state-linked threat groups operating against Ukrainian targets. Gamaredon has been active since at least 2013 and is widely attributed to the FSB's Centre 18. The group is known for high-volume, persistent operations that prioritise access and collection over stealth, often accepting detection as a trade-off for operational tempo. Their presence in this campaign, producing fresh CVE-2025-8088 exploit samples into April 2026, signals that the vulnerability is considered reliable enough by established threat actors to keep in active rotation rather than pivot to something newer.
Having two distinct intrusion sets independently exploiting the same vulnerability , one focused and technically sophisticated, the other high-volume and persistent , suggests that CVE-2025-8088 has achieved the kind of proven reliability that makes a flaw worth holding onto. When Dark Reading reported on Russian groups weaponising this flaw, the framing was correct: this is not a single campaign. It is concurrent exploitation by multiple actors with different operational styles, converging on the same unpatched attack surface.
Once GiftedCrook is running on an endpoint, the collection scope is broad. According to Trend Micro, it harvests browser passwords, session cookies, and files matching 35 distinct extensions. Browser passwords are the obvious prize , they give an attacker immediate access to everything the victim has saved in their browser's credential store, from webmail to VPN portals to internal administrative consoles. Session cookies are arguably more dangerous in the short term, because they allow an attacker to impersonate an authenticated user without needing the password at all. Steal a valid session cookie and you bypass multi-factor authentication entirely for the duration of that session.
The 35-extension file sweep is the part that tells you this is an intelligence-collection operation, not just credential theft for financial gain. File extensions targeted by stealers in espionage contexts typically include document formats , DOCX, XLSX, PDF , along with archive formats, image files, and anything that might contain configuration data or cryptographic material. Thirty-five extensions is a wide net. The attacker is not looking for one specific type of document. They are vacuuming up anything on the endpoint that might have intelligence value, then sorting it later. For a military officer or a government official, that almost certainly includes sensitive correspondence, operational planning documents, and files containing information about personnel or infrastructure.
The evolution of SHADOW-EARTH-066's tradecraft deserves more attention than it typically receives in incident-focused reporting. Going from Excel macros with plaintext Telegram exfiltration to in-memory DLL loading and encrypted C2 in under a year is an unusually rapid maturation curve. Excel macros remain common in lower-sophistication campaigns because they are easy to write and still catch users who have not disabled macro execution. But they are also easy to detect: endpoint detection tools flag macro-enabled documents, email gateways strip them, and the exfiltration over plaintext Telegram is trivially visible in network traffic analysis.
The WinRAR exploit chain addresses most of those detection vectors. A RAR archive arriving by email does not trigger the same reflexive scrutiny as a macro-enabled Office document. The path traversal executes during the extraction process, not through a macro that requires user interaction beyond opening the file. In-memory DLL loading avoids the file-on-disk artefacts that traditional endpoint detection relies on. Encrypted C2 traffic blends into the background of normal HTTPS activity. As Rescana noted in their analysis of this shift, the group has made a conscious technical investment in evading exactly the controls that defenders have spent years deploying. That investment warrants a corresponding reassessment of what cyber threat intelligence tells us about where these groups are heading next.
The targeting in this campaign is specific and consistent. Dark Reading confirmed that Ukrainian military innovation centres, military formations, and law enforcement agencies have been among the targets since at least February 2025. Military innovation centres are particularly high-value targets in the context of an ongoing war. These are the institutions working on next-generation capabilities , drone systems, electronic warfare, logistics technology. An adversary with persistent access to those environments gains insight into capability development timelines, procurement decisions, and potentially the identities of key technical personnel.
Law enforcement targeting serves a different intelligence purpose. Police and prosecutorial agencies hold information about ongoing investigations, confidential informants, and criminal networks that Russian intelligence services have historically sought to identify and protect , or in some cases, to disrupt. The combination of military and law enforcement targets in a single campaign suggests a collection requirement that goes beyond battlefield intelligence. This is the kind of broad-spectrum institutional access that supports long-term strategic planning rather than immediate tactical advantage.
Local self-government bodies near Ukraine's eastern border complete the target picture. These organisations , district councils, regional administrations , control information about population movements, infrastructure status, and local security conditions in areas that are either contested or adjacent to active conflict zones. For a military intelligence service, that ground-level administrative data is invaluable for operational planning. It tells you which roads are passable, which settlements have functioning utilities, which areas have experienced population displacement, and who the local officials are who might be susceptible to pressure or recruitment.
Targeting local government also reflects a recognition that these organisations typically have weaker security postures than central government ministries or military headquarters. They run standard office software, their IT staff are generalists rather than security specialists, and they are unlikely to have the monitoring tools that would flag anomalous file access or unusual outbound connections. An unpatched copy of WinRAR on a district council workstation is exactly the kind of overlooked attack surface that well-resourced adversaries identify and exploit systematically. Understanding what your attack surface really means in practice , including the third-party software that nobody owns in the security team , is the first step towards closing these gaps.
The most uncomfortable aspect of CVE-2025-8088 is the simplest one. This was not a zero-day. The patch was available in July 2025. Any organisation running a patched version of WinRAR after that date was not vulnerable to this specific attack chain. The exploitation that continued into April 2026 happened entirely because of endpoints that had not been updated , not because the vendor failed to act, and not because there was no technical fix available. The gap between patch release and patch adoption is the attack window, and in this case that window stayed open for the better part of a year.
WinRAR installations number in the hundreds of millions globally, and the software is characteristically installed once and never revisited. Unlike a browser, which updates itself silently and frequently, or an operating system, which most enterprise environments push updates to through centralised management, WinRAR is typically installed by individual users or IT generalists as a utility and then left alone. It does not appear prominently in vulnerability management dashboards. It is not in the standard scope of monthly patching cycles. It lives on endpoints as an invisible dependency , opened when someone needs to unpack an archive, forgotten the rest of the time.
The recurring theme across the campaigns that exploit this class of vulnerability is not technical sophistication on the attacker's part. The Excel macro phase of SHADOW-EARTH-066's operation was not technically impressive. The WinRAR phase is more capable, but the core enabler , an unpatched third-party utility sitting dormant on enterprise endpoints , is a fundamentally mundane problem. The same pattern appears in campaigns exploiting old versions of PDF readers, media players, compression utilities, and other software that organisations install for convenience and subsequently forget about.
A credible software inventory is a genuine security control, not an administrative exercise. Knowing which versions of which applications are running on which endpoints is a prerequisite for identifying exposure to a CVE like this one. Without that visibility, you cannot answer the question "are we vulnerable?" with any confidence. With it, you can scope the patching effort precisely, prioritise endpoints that are exposed to the highest-risk users , those receiving external email, those with access to sensitive document stores , and validate remediation once updates have been pushed. Enterprise asset management tools, endpoint detection platforms, and vulnerability scanners all have a role to play here, but only if they are configured to cover third-party utilities, not just first-party software and operating systems.
The immediate action is straightforward: identify every endpoint in your environment running WinRAR and confirm that it is running the version released after July 2025, which addresses CVE-2025-8088. If your vulnerability management tooling does not currently enumerate WinRAR versions, add it to the scan scope today. Do not assume that because no one has flagged the software as a risk, it is not present. WinRAR has hundreds of millions of installations precisely because it is ubiquitous , the question is not whether it exists in your environment but which version is running where.
On the detection side, the lure documents described in this campaign , court summonses, administrative notices, defence ministry correspondence , are consistent with spear-phishing tradecraft that targets a sense of institutional authority. Training users to pause before extracting archives received by email remains relevant, but it is not sufficient on its own. Email gateway controls that inspect archive contents before delivery, combined with endpoint monitoring for anomalous file extraction behaviour, provide a more reliable detection layer than user judgement alone. For organisations with security operations capability, the shift to in-memory DLL loading and encrypted C2 described in SHADOW-EARTH-066's updated toolset means that traditional file-based detection will miss GiftedCrook. Memory analysis and behavioural detection rules that flag unusual NT system call patterns are necessary to catch the newer variants.
For security teams assessing broader exposure, the CERT-UA tracking designation UAC-0226 and the Trend Micro designation SHADOW-EARTH-066 refer to the same actor. Threat intelligence platforms that carry indicators from either tracking designation will help you identify whether your organisation has had contact with infrastructure associated with this campaign. Cookie and session token theft at the scale GiftedCrook operates means that any confirmed compromise should trigger a full session invalidation and credential reset across affected accounts, not just a malware removal exercise. The stolen data may already have been exfiltrated before detection , treat it as such.
No. The documented campaign has focused on Ukrainian government, military, and law enforcement targets, and the geopolitical context of the attacks is clearly tied to the ongoing conflict. But CVE-2025-8088 is a vulnerability in WinRAR , software that is installed on endpoints globally, including across EMEA enterprises, banks, and government bodies. Any organisation running an unpatched version of WinRAR is technically vulnerable to exploitation via this path traversal flaw, regardless of geography. The specific threat actors currently exploiting it are Russia-aligned and operationally focused on Ukrainian targets, but the technique is transferable. Other actors could adopt the same exploit chain against different target sets, and the vulnerability itself does not discriminate by national border.
According to Trend Micro, CVE-2025-8088 was patched in July 2025. Organisations should verify that any WinRAR installations in their environment are running a version released after that date. If your asset management tooling cannot confirm the installed version, manual checks or a targeted scan using a vulnerability management platform should be conducted immediately. Do not rely on user confirmation , check the installed version directly against endpoint inventory data.
CVE-2025-8088 is specific to WinRAR. The path traversal vulnerability exists in WinRAR's extraction logic, and a patched version of WinRAR is not susceptible to the documented exploit chain. There is nothing in the available source material to suggest that this specific CVE affects 7-Zip or other archive utilities. That said, archive tools as a category are broadly under-patched across enterprise environments for the same reasons WinRAR is , they are installed as utilities and rarely included in systematic patch management. Any archive tool running an outdated version should be investigated for known vulnerabilities relevant to that specific software.
The earlier version of SHADOW-EARTH-066's toolset used plaintext Telegram channels for exfiltration , a technique that is detectable through network traffic monitoring. The updated version described by Rescana uses encrypted command-and-control infrastructure, which is significantly harder to identify in network logs. The shift to encrypted C2 is precisely why network-level detection of plaintext Telegram traffic is no longer a reliable indicator for this specific actor. Defenders should treat the absence of Telegram C2 traffic as meaning nothing in terms of whether GiftedCrook is present , the newer variants do not use it.
UAC-0226 is the identifier assigned by CERT-UA , Ukraine's national computer emergency response team , to the threat actor that Trend Micro tracks as SHADOW-EARTH-066. CERT-UA has been tracking this group since 2025. The actor is associated with the GiftedCrook information stealer and has been active against Ukrainian military, law enforcement, and governmental targets. The use of dual tracking designations (UAC-0226 from CERT-UA and SHADOW-EARTH-066 from Trend Micro) is standard practice in threat intelligence, where different organisations independently track and name the same actor. Both designations refer to the same intrusion set and the same operational campaign involving CVE-2025-8088.
Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.
