Russian-Linked Hackers Exploit WinRAR Flaw to Deploy GIFTEDCROOK Stealer Against Ukraine

Russian-aligned threat groups are still exploiting a patched WinRAR vulnerability to target Ukrainian organizations with credential theft and espionage tools. The flaw, tracked as CVE-2025-8088, lets attackers use malicious RAR archives to write hidden files outside the intended extraction folder.

A new Trend Micro report says two separate Russia-aligned campaigns continued using the flaw against Ukrainian targets into April 2026. One campaign, tracked as SHADOW-EARTH-066 and CERT-UA UAC-0226, deployed an evolved GIFTEDCROOK information stealer.

The other campaign involves Earth Dahu, also known as Gamaredon or Armageddon, which used the same WinRAR entry point to deliver espionage tools through HTA and VBScript-based chains. The shared weakness is simple: many systems still run outdated WinRAR builds, even though the fix shipped in 2025.

CVE-2025-8088 Remains Useful Because WinRAR Updates Are Often Missed

CVE-2025-8088 is a high-severity path traversal vulnerability in the Windows version of WinRAR. The NVD entry gives it a CVSS 3.1 score of 8.4 and says attackers can execute arbitrary code by crafting malicious archive files.

The vendor fixed the issue in WinRAR 7.13, released on July 30, 2025. The official notes say the vulnerability affects Windows versions of WinRAR, RAR, UnRAR, UnRAR.dll, and portable UnRAR, but not Linux/Unix builds or RAR for Android.

The problem persists because WinRAR does not fit neatly into every enterprise patching workflow. Trend Micro notes that it is not covered by Group Policy or centralized update mechanisms, which can leave older copies running long after a patch becomes available.

Detail	Information
Vulnerability	CVE-2025-8088
Severity	High, CVSS 8.4
Bug type	Path traversal using NTFS Alternate Data Streams
Fixed in	WinRAR 7.13 and later
Main abuse case	Writing hidden payloads to the Windows Startup folder
Current campaigns	Russia-aligned activity against Ukrainian organizations

How the WinRAR Attack Chain Works

The attack starts with spear-phishing emails carrying malicious RAR archives. When a victim opens the archive with a vulnerable WinRAR version, the user sees a decoy PDF or another harmless-looking document.

Behind the scenes, the archive abuses NTFS Alternate Data Streams and directory traversal sequences to place hidden files in sensitive locations, often the Windows Startup folder. Those files then run automatically the next time the user logs in.

Google Threat Intelligence Group described this same technique earlier in 2026, warning that government-backed and financially motivated actors were using CVE-2025-8088 as a reliable initial access vector after the patch was already available.

• The victim receives a malicious RAR archive through email.
• The archive opens a visible decoy document to reduce suspicion.
• Hidden Alternate Data Stream entries write payloads outside the extraction path.
• A shortcut, script, HTA file, or loader lands in the Startup folder.
• The payload executes after the next login or reboot.
• The attacker steals data, deploys espionage tools, or installs additional malware.

SHADOW-EARTH-066 Uses the Flaw to Deliver GIFTEDCROOK

SHADOW-EARTH-066, tracked by CERT-UA as UAC-0226, has used the WinRAR flaw against Ukrainian military innovation centers, military formations, law enforcement agencies, and local government bodies near Ukraine’s eastern border.

In this campaign, malicious archives contain a visible decoy PDF and hidden payloads. Trend Micro says the hidden files include an LNK shortcut dropped into the Startup folder, a PowerShell loader placed in C:\ProgramData, and an encoded DLL payload in the same location.

The LNK starts a PowerShell chain that loads the final payload in memory. The stealer is an updated DLL form of GIFTEDCROOK, internally named result.dll, and it focuses on quick credential and document theft before cleaning up its staging files.

GIFTEDCROOK Steals Browser Data and Sensitive Files

The updated GIFTEDCROOK variant targets popular browsers including Chrome, Edge, Opera, and Firefox. It attempts to steal passwords, session cookies, and browser decryption material that can help attackers hijack accounts.

The malware also searches for documents and sensitive files across 35 file extensions. That includes spreadsheets, email files, KeePass databases, and other files that may contain credentials, internal records, or operational details.

The newer version marks a shift from older GIFTEDCROOK activity. The original campaign relied on simpler Excel macro delivery and Telegram-based exfiltration, while the 2026 chain uses the WinRAR exploit, PowerShell obfuscation, in-memory DLL loading, and encrypted HTTPS command-and-control servers.

Capability	What it means for victims
Browser credential theft	Stolen saved passwords can expose email, VPN, cloud, and internal apps
Session cookie theft	Attackers may try to hijack active accounts without knowing the password
Document collection	Files related to operations, finance, government work, or defense activity may be exfiltrated
In-memory loading	The final DLL is harder to detect with simple file-based scanning
Self-cleanup	Staging files and Startup entries can disappear after data theft

Earth Dahu Uses the Same Flaw for Espionage Chains

Earth Dahu, widely known as Gamaredon, also adopted CVE-2025-8088. Instead of the GIFTEDCROOK chain, the group used malicious archives to drop HTA, VBS, or VBE files into the Startup folder.

Those files can launch through mshta.exe or scripting components and then fetch additional espionage tooling. Some samples used Cloudflare-related infrastructure or dynamic delivery paths before reaching later-stage modules.

The overlap shows why defenders should focus on the exploit behavior, not only on one malware family. The same WinRAR bug can lead to a stealer, an espionage downloader, or other payloads depending on the actor behind the archive.

Other Actors Also Abused the Same WinRAR Bug

The abuse of CVE-2025-8088 is broader than these two campaigns. Google’s analysis also linked the flaw to Russian-nexus actors such as Sandworm, Turla, and Gamaredon, as well as China-linked and financially motivated groups.

ESET Research originally discovered the flaw in July 2025 while investigating RomCom activity. ESET said the zero-day was used in spear-phishing campaigns that disguised malicious archives as job application documents.

This pattern is common with reliable archive exploits. Once a working technique becomes known, multiple actors can copy it, alter the lure documents, and swap in their own payloads.

Defenders Should Patch WinRAR and Hunt for Startup Folder Abuse

Organizations should first inventory WinRAR installations and update them to the latest available version. Updating only systems managed by standard Windows patch channels may not be enough, because some WinRAR installations may sit outside normal update reporting.

Security teams should also search for suspicious LNK, HTA, VBS, VBE, BAT, CMD, or PowerShell files in Startup folders. The ESET report says the exploit can silently deploy files from archives, which makes Startup folder monitoring especially important.

Network teams should review outbound connections linked to unusual user agents, dedicated command-and-control servers, and HTTPS exfiltration endpoints. If browser data theft is suspected, response teams should rotate passwords, revoke sessions, and enable or enforce multi-factor authentication.

• Update WinRAR, RAR, UnRAR, UnRAR.dll, and portable UnRAR for Windows.
• Do not rely only on Windows Update to find vulnerable WinRAR installs.
• Block or quarantine suspicious RAR files from unknown senders.
• Monitor Startup folders for newly created LNK, HTA, VBS, VBE, BAT, CMD, and PowerShell files.
• Review C:\ProgramData for short random file names and unusual encoded payloads.
• Hunt for PowerShell execution launched by shortcut files.
• Rotate saved browser credentials after a confirmed compromise.
• Revoke active browser sessions and enforce MFA on critical accounts.

Key Indicators Reported in the Campaign

Type	Indicator	Description
Malware	GIFTEDCROOK	Information stealer used by SHADOW-EARTH-066
File name	result.dll	Final GIFTEDCROOK DLL payload
File name	KKN	PowerShell loader observed in C:\ProgramData
File name	ND8	Encoded DLL payload observed in C:\ProgramData
File names	U0U, YDV, NdV, QB5k, uaP, WnX, wq_, Arj, O5f	Additional staging names reported in the campaign
URI path	/rcv/	Exfiltration endpoint path used by SHADOW-EARTH-066 servers
User-Agent	libcurl/8.14.0-DEV	Observed in GIFTEDCROOK command-and-control traffic
Domain	astrocafe[.]com	Sending domain associated with Earth Dahu activity

Why This Campaign Matters

The continued exploitation of CVE-2025-8088 shows how one missed application update can undermine endpoint security, even months after a vendor fix. Archive tools are common, often trusted by users, and regularly used to exchange documents, which makes them attractive to attackers.

WinRAR’s own 7.13 release notes described CVE-2025-8088 as a critical directory traversal issue that required immediate action. Nearly a year later, attackers are still benefiting from environments that did not act.

The latest Trend Micro findings make the lesson clear for defenders: patching common desktop utilities matters as much as patching operating systems and browsers, especially when those utilities process files from email.

FAQ