Old WinRAR Flaw Still Fuels Attacks on Ukraine in 2026

A Patched Flaw That Refuses to Die

Nearly a year after a fix shipped, the WinRAR vulnerability Russia-aligned attackers have been exploiting still works against enough Ukrainian organizations to remain useful. According to a new Trend Micro report, CVE-2025-8088, a path traversal flaw patched in WinRAR 7.13 back in July 2025, is still being actively exploited by multiple threat actor groups against Ukrainian organizations as of April 2026.

How the Exploit Actually Works

The vulnerability abuses NTFS Alternate Data Streams. A victim receives a RAR archive, often by email, containing a visible decoy document, perhaps a fake court summons, alongside hidden ADS entries packed with directory traversal sequences. When opened in a vulnerable WinRAR version, the archive silently writes files outside the extraction folder, commonly into the Windows Startup directory. No warning appears. The victim sees only the decoy.

Two distinct threat clusters are covered in the report. The first, tracked as SHADOW-EARTH-066 (CERT-UA’s UAC-0226), and the second, Earth Dahu, better known as Gamaredon, a group active against Ukraine since at least 2013.

From Excel Macros to Memory-Resident Malware

SHADOW-EARTH-066’s transformation is striking. The group previously relied on macro-laden Excel files and a basic stealer called GIFTEDCROOK that dumped stolen browser data to Telegram using hardcoded bot tokens. Now, per the report, the threat actor shifted from basic Excel macros with plaintext Telegram exfiltration to WinRAR exploit chains, in-memory DLL loading via direct NT system calls, and encrypted command-and-control infrastructure in under a year.

The updated payload, internally named result.dll, loads entirely in memory using direct NT system calls like NtAllocateVirtualMemory and NtCreateThreadEx, avoiding common API hooks. It targets Chrome, Edge, Opera, and Firefox credentials, can bypass Chrome’s App-Bound Encryption, and scans for files across 35 different extensions covering documents, spreadsheets, archives, and even KeePass databases. After exfiltrating data via RC4-encrypted HTTPS to dedicated command servers, it deletes every trace of itself from the infected machine.

Earth Dahu Takes a Different Road

While SHADOW-EARTH-066 builds compiled malware, Earth Dahu sticks to scripts. Their version of the CVE-2025-8088 exploit drops a single HTA file into the Startup folder. On the next reboot, mshta.exe runs it automatically, loading VBScript through Cloudflare Workers and Dynamic DNS infrastructure that eventually delivers espionage modules.

A particularly sneaky trick involves spoofed URLs. By using HTTP basic-auth formatting, attackers can make a malicious link display a trusted domain like ssu.gov.ua in front of the actual destination, tricking victims into believing they’re visiting a legitimate Ukrainian government site. Spear-phishing emails for this campaign frequently came from compromised government and judicial email accounts, often impersonating court summons or property seizure notices.

Why the Patch Isn’t Enough

The core issue isn’t the vulnerability itself, it’s patch adoption. As the researchers note, WinRAR does not auto-update, does not support Group Policy, and falls outside enterprise patch channels like WSUS, SCCM, or Intune. That makes it nearly invisible to standard vulnerability management programs, even at organizations with otherwise mature security practices.

This isn’t a new phenomenon either. The report points out that an older WinRAR flaw from 2018 remained exploitable in targeted attacks for years afterward, and CVE-2025-8088 appears to be following an identical trajectory. For the complete technical breakdown, including IOCs and detection guidance, Trend Micro has published its full analysis of the ongoing campaigns.

What Organizations Should Do

Given the scale of the WinRAR vulnerability Russia-aligned threat actors continue to exploit, organizations, especially those with any connection to Ukrainian government, military, or legal entities, should audit endpoints for outdated WinRAR installations using third-party software inventory tools, since native patch management won’t catch it. Security teams should also watch for unusual LNK files in Startup folders, unexpected mshta.exe activity, and PowerShell processes reading from C:\ProgramData. Given how long unpatched archive utilities tend to remain exploitable, treating this as a one-time fix would be a mistake.