Russia-aligned threat groups are continuing to exploit the WinRAR vulnerability tracked as CVE-2025-8088, despite a patch being available since July 2025. The campaigns have targeted Ukrainian military and government organizations using phishing emails containing malicious archive files. Once opened on vulnerable systems, the archives can place malware outside the intended extraction directory, including Windows Startup locations that execute payloads automatically after login. The activity highlights how outdated third-party utilities can remain a significant enterprise security risk long after fixes become available.
A Patched WinRAR Flaw Is Still Being Used in Active Espionage Campaigns
The continued exploitation of the WinRAR Vulnerability CVE-2025-8088 demonstrates a recurring challenge in enterprise security: software may be patched, yet remain vulnerable across large numbers of endpoints because updates are not consistently deployed.
In recently observed campaigns targeting Ukrainian organizations, two Russia-aligned threat clusters reportedly leveraged the flaw to deliver different malware families designed for intelligence collection and espionage operations. The attacks relied on phishing emails containing weaponized archive files.
The campaigns are notable not because they exploited a previously unknown vulnerability, but because they successfully leveraged a known and patched weakness in a widely used desktop utility. This reinforces the reality that attackers often prefer reliable, proven techniques when organizations fail to close known security gaps.
The WinRAR Vulnerability CVE-2025-8088 is a path traversal flaw affecting vulnerable versions of WinRAR for Windows. The flaw allows specially crafted archive files to write content outside the directory selected by the user during extraction. This behavior can enable attackers to place files into sensitive system locations, including Windows Startup folders.
When files are written into Startup locations, payloads may execute automatically the next time a user logs in, providing attackers with a mechanism for persistence and malware delivery. Multiple threat actors have reportedly adopted this technique since the vulnerability became publicly known and patched.
A typical attack chain observed in campaigns exploiting the vulnerability follows a straightforward pattern:
The user extracts the archive using a vulnerable WinRAR version.
The archive writes malicious files outside the intended extraction path.
Malware is placed in Startup directories or other targeted locations.
Payloads execute after login and begin follow-on activity.
Because the attack relies on user interaction and outdated software, organizations that lack visibility into third-party application versions may remain exposed even when operating systems are fully patched.
How Russian-Aligned Threat Groups Exploited CVE-2025-8088
The campaigns attributed to Shadow-Earth-066 (UAC-0226) and Earth Dahu (Gamaredon/UAC-0010) used the same underlying vulnerability but delivered different payloads and post-exploitation activity.
Shadow-Earth-066 Uses GiftedCrook Malware
Shadow-Earth-066 reportedly exploited CVE-2025-8088 to deploy an updated version of GiftedCrook, an information-stealing malware family.
Public reporting indicates that GiftedCrook is capable of collecting credentials, browser-stored passwords, session cookies, documents, and files matching attacker-defined extensions. The malware has also been observed deleting itself after completing its collection activities, which may complicate forensic analysis.
While the malware’s capabilities are documented, public reporting has not confirmed the extent of any data collection or exfiltration resulting from these specific campaigns.
Earth Dahu (Gamaredon) Deploys HTA-Based Malware
A separate campaign attributed to Earth Dahu, also known as Gamaredon, reportedly used malicious archives to initiate an espionage-focused infection chain.
The observed activity involved HTML Application (HTA) files, VBScript components, and infrastructure hosted through Cloudflare Workers to retrieve additional payloads. Similar Gamaredon campaigns observed during 2026 involved an HTA payload and VBScript downloader chain.
Although the malware families differed, both campaigns shared a common dependency: vulnerable WinRAR installations and user interaction with malicious archive files.
IT Admin’s Guide to Patch Management with Hexnode
Learn how to streamline patch deployment, and reduce security risks across managed endpoints with Hexnode.
Why the WinRAR Vulnerability CVE-2025-8088 Matters to Enterprises
The most significant lesson from this activity is not the vulnerability itself. It is the operational gap that allowed exploitation to continue long after a patch became available.
The ongoing exploitation of the WinRAR Vulnerability CVE-2025-8088 also highlights the risks posed by unmanaged third-party applications that fall outside standard update processes.
Many organizations maintain mature operating system patching programs but have less visibility into utilities installed directly by users or departmental teams. Archive managers, PDF tools, media utilities, and other desktop applications can easily fall outside standard update workflows.
WinRAR presents a particularly relevant example because it does not automatically update itself. Systems can therefore remain vulnerable for extended periods unless administrators actively verify version compliance and deploy updates.
For organizations handling sensitive information, including government agencies, defense contractors, financial institutions, legal teams, and critical infrastructure operators, these unmanaged applications can become attractive entry points for attackers.
The campaigns also reinforce several broader security realities:
Known vulnerabilities continue to be widely exploited in real-world campaigns.
Phishing remains an effective initial access technique.
User-installed software can create security blind spots.
Persistence mechanisms often rely on legitimate Windows functionality.
Endpoint visibility can help identify suspicious execution chains.
Reducing Risk from the WinRAR Vulnerability CVE-2025-8088 with Hexnode
Organizations seeking to reduce the risks associated with the WinRAR Vulnerability CVE-2025-8088 should focus on application visibility, patch governance, and endpoint monitoring.
Using Hexnode UEM for Application Visibility and Patch Compliance
Remove or restrict unauthorized applications where appropriate.
These capabilities can help security and IT teams review managed application inventory and enforce app update policies on supported Windows devices.
Using Hexnode XDR for Endpoint Investigation and Response
If suspicious activity occurs on an endpoint, Hexnode XDR can help security teams:
Investigate suspicious endpoint activity.
Hunt threats using endpoint data and investigation queries.
Isolate affected endpoints when necessary.
Terminate malicious processes during response efforts.
Support endpoint investigation and response workflows.
These capabilities can assist responders in understanding how activity unfolded on an endpoint and support containment actions during an investigation.
Strengthening Access Controls with Hexnode IdP
Organizations can further strengthen access controls through:
Multi-factor authentication (MFA).
Role-based access control (RBAC).
Device compliance validation integrated with managed endpoints.
Microsoft Entra ID integration.
Conditional access rules based on user identity, device compliance, and security context.
While identity controls do not prevent attackers from exploiting CVE-2025-8088, they can strengthen access controls if attackers target credentials in follow-on activity.
Featured resource
Hexnode App Management Solution
Learn how Hexnode helps IT teams streamline application deployment, management, and updates across devices from a centralized platform.
Key Lessons from the WinRAR Vulnerability CVE-2025-8088 Campaigns
The renewed exploitation of the WinRAR Vulnerability CVE-2025-8088 serves as a reminder that endpoint risk often hides in overlooked software rather than unpatched operating systems.
The campaigns targeting Ukrainian organizations demonstrate how threat actors continue to capitalize on known vulnerabilities when patch adoption lags behind disclosure and remediation timelines. A single outdated utility can provide attackers with a reliable path to malware delivery, persistence, and potential intelligence collection.
Reducing this risk requires more than patch availability. Organizations need continuous software inventory, application governance, phishing resilience, endpoint monitoring, and verification that they have actually applied updates across the environment.
As attackers continue to weaponize known flaws, maintaining visibility into every application running on enterprise endpoints remains a critical part of modern security operations.
Stay Ahead of Endpoint Vulnerabilities
Gain visibility into installed applications, enforce update policies, and strengthen endpoint security with Hexnode.
I write at the intersection of technology, process, and people, focusing on explaining complex products with clarity. I break down tools, systems, and workflows without any noise, jargon, or the hype.
