Russian APTs Exploit Patched WinRAR Flaw in Targeted Ukraine Campaigns
Shadow-Earth-066 and Earth Dahu leverage CVE-2025-8088 in email-based attacks against Ukrainian military and government targets, deploying GiftedCrook stealer and espionage malware despite patch availability since July 2025.
Attack Brief
TargetWinRAR (Windows version)VectorPath traversal vulnerability (CVE-2025-8088) via weaponized email attachmentsAttributionShadow-Earth-066 (UAC-0226), Earth Dahu (Gamaredon, Primitive Bear, Shuckworm, Aqua Blizzard, UAC-0010); also Sandworm, Turla, Void Rabisu
Technical Details
CVE IDsCVE-2025-8088MITRE ATT&CKT1566.001T1566.002T1005T1041AffectedWinRAR versions prior to 7.13 (patched July 2025)
Impact
Affected OrganisationsUkrainian military innovation centers, military formations, law enforcement agencies, government entitiesSectorsGovernmentMilitaryLaw EnforcementGeographyUkraine
Mitigation
PatchesWinRAR 7.13 (released July 2025)
Context
Similar AttacksSandworm, Turla, and Void Rabisu also exploited CVE-2025-8088 earlier in 2026. Shadow-Earth-066 and Earth Dahu continue generating new exploit samples as of April 2026.
Source
https://www.darkreading.com/vulnerabilities-threats/russian-groups-winrar-flaw-ukrainian-orgsby Trend Micro (Hiroyuki Kakara, Feike Hacquebord); Dark Readingon 2026-06-09T00:00:00Z2 sources