Two Russia-linked hacker groups — Gamaredon and Shadow-Earth-066 — are actively exploiting a WinRAR vulnerability (CVE-2025-8088) that's been patched since July 2024, targeting Ukrainian military and government organizations through weaponized phishing emails.
The attacks differ in execution but share the same goal. Shadow-Earth-066 deploys the GiftedCrook stealer to harvest credentials and documents, while Gamaredon plants espionage malware via malicious HTA files. Both abuse WinRAR's path traversal flaw to drop payloads into Windows Startup folders.
The flaw stays dangerous because WinRAR doesn't auto-update and falls outside standard enterprise patching tools — leaving millions of endpoints exposed.
Source: Dark Reading