WinRAR Flaw Exploited by Russia-Aligned Groups Against Ukrainian Organizations

A flaw patched nearly a year ago is still opening doors into Ukrainian networks, because the software that carries it never gets updated.

KYIV — Russia-aligned threat groups have been exploiting a WinRAR flaw to deploy infostealer malware against Ukrainian organizations, according to research from Trend Micro disclosed on June 9, 2026. The activity is consistent with the broader Russian playbook of turning vulnerabilities in widely used consumer software into initial-access vectors for targeted campaigns against Ukrainian government and civic targets.

The campaign fits a now-familiar pattern in the Russia-Ukraine cyber theater, where Russia-aligned operators repeatedly return to the same dependable techniques rather than burning novel capabilities. It lands alongside other recent activity attributed to the same ecosystem, including a fileless Gamaredon worm abusing NTFS alternate data streams against Ukraine and a broader pattern of Russian intelligence services targeting Western systems — reinforcing that the threat to Ukrainian organizations is sustained rather than episodic.

The Campaign in Outline

According to Trend Micro, at least two Russia-aligned threat clusters have been weaponizing CVE-2025-8088, a path-traversal vulnerability in the Windows version of WinRAR, in email-based attacks against Ukrainian organizations. The flaw lets an attacker craft a malicious archive that writes files outside the intended extraction directory — including into Windows Startup locations — by abusing NTFS Alternate Data Streams, enabling code execution after a user logs in. It was patched in WinRAR 7.13 in July 2025.

The first cluster, tracked by Trend Micro as Shadow-Earth-066 — and as UAC-0226 by Ukraine's Computer Emergency Response Team (CERT-UA) — used the flaw to deploy an updated version of the GiftedCrook information stealer. According to the research, GiftedCrook harvests browser passwords, session cookies, and files matching dozens of extensions before deleting itself to frustrate forensic analysis.

The second cluster is Earth Dahu, better known as Gamaredon and also tracked under names including Primitive Bear, Shuckworm, Aqua Blizzard, and UAC-0010. Trend Micro reports that Earth Dahu used the same flaw in an HTML Application (HTA)-to-VBScript infection chain that ultimately delivers espionage-focused modules, including the GammaSteel stealer. The same group was recently linked to a fileless worm abusing NTFS alternate data streams in attacks on Ukrainian targets.

Why WinRAR Remains a Favored Initial-Access Vector

WinRAR's appeal as an entry point is rooted in its ubiquity and its patching blind spots. The software is used by hundreds of millions of people worldwide and is, as Trend Micro put it, "deeply embedded in daily operations across Ukrainian organizations." That install base means a single archive flaw can reach a vast pool of potential targets with minimal tailoring.

Crucially, WinRAR does not auto-update, does not support Group Policy, and falls outside enterprise patch-management channels such as WSUS, SCCM, or Intune. As a result, verifying patch status across an estate can require third-party tooling or manual auditing — and many organizations simply never confirm whether the fix has been applied. Nearly a year after the July 2025 patch, enough endpoints remain unpatched to keep the flaw worth exploiting.

The economics reinforce the pattern. Researchers quoted by Dark Reading noted that exploiting CVE-2025-8088 requires no exotic engineering and no standing infrastructure — just a phishing email carrying a booby-trapped archive. With the technique long since commoditized, the barrier to weaponize it is, in practical terms, gone. For Russia-aligned operators running sustained campaigns against Ukraine, a cheap, reliable, broadly applicable initial-access method is exactly the kind of capability worth reusing indefinitely.

What's Known and Not Known About Attribution

Trend Micro attributes the two campaigns to Shadow-Earth-066 and Earth Dahu, and Dark Reading reports that the targeting focused on Ukrainian military and government entities — including military innovation centers, military formations, and law enforcement agencies. Google's Threat Intelligence Group has separately reported that other Russia-aligned actors, among them Sandworm, Turla, and Void Rabisu, exploited the same vulnerability earlier in the year, indicating the flaw is in wide use across the Russia-aligned ecosystem rather than the tool of a single group.

Beyond those named clusters, attribution should be read with care. "Russia-aligned" describes a shared orientation and target set, not a single chain of command, and the overlapping tracking names that vendors apply to these groups can imply more precision than the public evidence supports. The specific scope of compromise — how many organizations were successfully breached, versus merely targeted — is not detailed in the available reporting.

What is firmly established is narrower but serious: a patched WinRAR flaw under active exploitation, two named Russia-aligned clusters deploying credential-stealing and espionage payloads, and a victim set concentrated in Ukrainian government and military organizations. Those facts are enough to act on without overstating the precision of the attribution.

Defensive Guidance

The first and most effective step is patching: organizations should confirm that WinRAR is updated to version 7.13 or later across every endpoint, treating the absence of auto-update as a reason for active verification rather than an excuse for inaction. Because WinRAR sits outside conventional patch channels, this belongs on the asset-discovery side of any vulnerability-management program — you cannot patch software you have not inventoried.

Where immediate patching is not feasible, the attack chains point to concrete mitigations. Because every campaign persists by writing to the Windows Startup folder, monitoring and alerting on new Startup entries offers high-value detection. At the perimeter, defenders should strip or detonate inbound archives at the mail gateway, since both campaigns begin with weaponized emails carrying malicious RAR files. Removing WinRAR where it is not needed, or allowlisting it where it is, further shrinks the exposed surface.

Finally, given the espionage and credential-theft objectives, organizations should hunt for the downstream behaviors these payloads exhibit — anomalous browser-credential access, suspicious VBScript and HTA execution, and outbound connections to attacker command-and-control infrastructure. The persistent, multi-actor nature of this targeting is consistent with the wider pattern of Russia-attributed operations against allied and Ukrainian targets, and should be treated as an enduring threat rather than a one-off.

Open Questions

Several questions remain unresolved. The total number of Ukrainian organizations actually compromised — as distinct from those targeted — is not quantified in the available reporting, nor is the full timeline of when each cluster began and ceased its activity. The extent to which the GiftedCrook and GammaSteel payloads succeeded in exfiltrating data, versus being detected and blocked, is likewise unclear.

It is also not established whether WinRAR's vendor has taken additional steps beyond the July 2025 patch to address the broader pattern of exploitation, or whether the named clusters have begun migrating to newer flaws as patched endpoints slowly increase. As with any actively exploited, widely deployed flaw, the roster of actors and the count of affected organizations may grow as more vendors publish their own telemetry.

Sources