Executive Summary
In June 2026, cybersecurity researchers identified that Russian-aligned groups, Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), continued exploiting a critical vulnerability in WinRAR (CVE-2025-8088) to target Ukrainian organizations. This path traversal flaw allows attackers to execute arbitrary code by crafting malicious archive files. Despite a patch being released in July 2025, the absence of automatic updates in WinRAR has left many systems vulnerable. The attackers utilized this exploit to deploy information-stealing malware, such as GIFTEDCROOK, which harvests sensitive data from infected systems.
The persistent exploitation of CVE-2025-8088 underscores the critical importance of timely software updates and the risks associated with unpatched vulnerabilities. Organizations are urged to manually update WinRAR to version 7.13 or later to mitigate this threat. (windowscentral.com)
Why This Matters Now
The continued exploitation of CVE-2025-8088 by state-sponsored actors highlights the ongoing cyber threats facing Ukrainian organizations. The lack of automatic updates in widely used software like WinRAR emphasizes the need for proactive vulnerability management to prevent data breaches and maintain operational security.
Attack Path Analysis
Attackers exploited the WinRAR vulnerability (CVE-2025-8088) to deliver malicious archives, leading to unauthorized code execution. They escalated privileges by placing malicious files in the Windows Startup folder, ensuring execution upon system reboot. The attackers moved laterally within the network by deploying additional payloads to other systems. They established command and control channels to maintain persistent access and control over compromised systems. Sensitive data was exfiltrated from the network to external servers controlled by the attackers. The attack resulted in significant operational disruption and potential data loss.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the WinRAR vulnerability (CVE-2025-8088) by delivering malicious RAR archives to users, leading to unauthorized code execution upon extraction.
Related CVEs
CVE-2025-8088
CVSS 8.8A path traversal vulnerability in WinRAR allows attackers to execute arbitrary code via crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.23
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Spearphishing Attachment
Match Legitimate Name or Location
Registry Run Keys / Startup Folder
PowerShell
Ingress Tool Transfer
Web Protocols
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Authentication and Authorization
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Ukrainian government organizations face targeted WinRAR exploitation by Russia-aligned groups deploying information stealers, compromising sensitive state data and communications through unpatched systems.
Defense/Space
Defense contractors and military systems vulnerable to Earth Dahu and SHADOW-EARTH-066 campaigns exploiting CVE-2025-8088, enabling credential theft and intelligence exfiltration operations.
Financial Services
Banking institutions at risk from information stealer malware delivered via WinRAR path traversal attacks, potentially compromising customer data and violating PCI compliance requirements.
Information Technology/IT
IT organizations managing Ukrainian infrastructure targeted through WinRAR vulnerabilities, requiring immediate egress security controls and zero trust segmentation to prevent lateral movement.
Sources
- WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukrainehttps://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.htmlVerified
- Earth Dahu and SHADOW-EARTH-066 Exploit WinRAR Vulnerability in Ukrainehttps://www.trendmicro.com/en_us/research/2026/06/earth-dahu-and-shadow-earth-066-exploit-winrar-vulnerability-in-ukraine.htmlVerified
- CVE-2025-8088 - NVD Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-8088Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and controlled access policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, Aviatrix CNSF would likely limit the attacker's ability to exploit the vulnerability by enforcing strict access controls and monitoring.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely constrain the attacker's ability to escalate privileges by enforcing strict access controls and monitoring.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict segmentation and monitoring.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely constrain the attacker's ability to establish command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict outbound traffic policies.
While complete prevention may not be guaranteed, Aviatrix's enforcement of zero trust principles would likely reduce the overall impact by limiting the attacker's reach and ability to cause widespread disruption.
Impact at a Glance
Affected Business Functions
- Document Management
- Email Communications
- File Archiving
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive organizational documents and communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities like CVE-2025-8088.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Ensure all software, including WinRAR, is regularly updated to mitigate known vulnerabilities.



