Although a fix was released in 2025, a vulnerability in WinRAR (CVE-2025-8088) continues to be actively exploited by Russian-linked threat actors to deliver malware through phishing-based archive files.
The flaw, a path traversal vulnerability, allows attackers to place malicious files outside the intended extraction directory by abusing NTFS Alternate Data Streams. WinRAR addressed the issue in version 7.13, released in July 2025. However, nearly a year after the patch became available, recent analysis by Trend Micro indicates that adoption of the fix remains incomplete. As a result, multiple threat actors continue to weaponize the vulnerability in ongoing campaigns.
Trend Micro researchers have identified at least two Russia-aligned advanced persistent threat (APT) groups Earth Dahu (also known as Gamaredon) and SHADOW-EARTH-066 (UAC-0226) that are actively developing updated exploit samples and distributing new malicious lures leveraging this flaw. The continued success of these attacks highlights a common security gap: the presence of patches does not guarantee deployment across environments.
The attack chain begins with spear-phishing emails delivering weaponized RAR archives. When victims open these files, they typically see a decoy document designed to appear legitimate such as court notices, military inventories, or official government communications intended to prompt urgency. Behind the scenes, without any visible warning or further user interaction, the vulnerability is triggered.
Exploiting CVE-2025-8088, WinRAR silently writes hidden payload files outside the extraction path often into sensitive directories like the Windows Startup folder. Once the system is restarted or the user logs in again, these malicious files execute automatically, effectively establishing initial access.
SHADOW-EARTH-066 has notably enhanced its techniques compared to its earlier campaigns in 2025. The group previously relied on relatively simple macro-based delivery methods that were easy to detect. In contrast, its latest operations demonstrate significantly greater sophistication. Recent samples deploy multiple hidden components, including a shortcut file in the Startup directory, an obfuscated PowerShell loader, and an encoded DLL payload. These elements work together to execute malicious code entirely in memory, bypassing traditional file-based detection mechanisms.
The final-stage malware, an evolution of known stealer families, targets widely used browsers such as Chrome, Edge, Opera, and Firefox. It extracts sensitive information including saved credentials, session cookies, and encryption keys, while also scanning local directories for documents, configuration files, and other valuable data. After exfiltrating the collected information to attacker-controlled servers, the malware removes all traces of its presence, leaving no persistence artifacts behind.
Meanwhile, Earth Dahu employs a different approach while leveraging the same initial vulnerability. Instead of deploying complex multi-stage malware, it drops script-based payloads such as HTA or VBScript files into the Startup folder. These scripts are executed during the next login and retrieve additional payloads from attacker-controlled infrastructure, often hosted via intermediary services. This method allows the group to dynamically deliver espionage tools tailored to specific targets.
Both campaigns demonstrate increasing operational maturity, particularly in their delivery mechanisms. In some cases, spear-phishing emails were sent from compromised accounts within Ukrainian government systems, enhancing their credibility. Additionally, attackers used domain spoofing techniques to disguise malicious links as legitimate government or news websites, further improving the effectiveness of their social engineering tactics.
Despite differences in tooling and infrastructure, both threat groups have independently converged on CVE-2025-8088 as a reliable initial access vector. This is largely due to structural weaknesses in how WinRAR is deployed and maintained. Unlike many enterprise-managed applications, WinRAR does not automatically update and is often excluded from centralized patch management systems. As a result, organizations must rely on manual updates or third-party tools to ensure systems are properly patched something that frequently does not happen.
This pattern is not new. Previous WinRAR vulnerabilities, such as CVE-2018-20250, remained in active use by attackers for years after patches were released. The continued exploitation of CVE-2025-8088 follows the same trend, underscoring the risks posed by widely installed software that falls outside standard patching workflows.
In conclusion, although CVE-2025-8088 was patched in mid-2025, it continues to serve as an effective attack vector due to inconsistent patch deployment. The sustained use of this vulnerability by multiple threat groups highlights both the scale of the threat landscape and the importance of comprehensive vulnerability management practices.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
