Gamaredon and UAC-0226 are exploiting a patched WinRAR vulnerability to deploy credential-stealing malware against Ukrainian targets.
Two Russia-linked cyber espionage groups have continued exploiting a known WinRAR vulnerability to target Ukrainian organizations, nearly a year after a security update was released to address the flaw.
Researchers at Trend Micro attributed the campaigns to Earth Dahu, also known as Gamaredon, and SHADOW-EARTH-066, which is tracked by Ukrainian authorities as UAC-0226. Both groups have been observed abusing CVE-2025-8088, a path traversal vulnerability in WinRAR that can allow files to be written outside the intended extraction directory through the misuse of NTFS Alternate Data Streams (ADS). The flaw was patched in July 2025, but attackers continue to find success against systems that have not been updated.
According to Trend Micro, SHADOW-EARTH-066 has shifted away from using malicious Excel documents and is now relying on specially crafted RAR archives to infect victims. The archives contain a decoy PDF document alongside hidden payloads designed to establish persistence on compromised systems.
The attack chain places a malicious Windows shortcut file in the Startup folder, ensuring it launches whenever a user logs into Windows. The shortcut executes a PowerShell-based loader that ultimately deploys an updated version of GIFTEDCROOK, an information-stealing malware family previously associated with the group.
Researchers said GIFTEDCROOK is capable of harvesting browser credentials, cookies, and documents from infected devices. Targeted browsers include Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox. After stealing data, the malware transmits the information to attacker-controlled servers and removes traces of the infection to hinder forensic investigations.
Trend Micro also noted that the threat actor has abandoned Telegram as a data exfiltration channel in favor of dedicated command-and-control infrastructure. The change follows Russia’s decision to block Telegram earlier this year.
A separate campaign linked to Earth Dahu has also incorporated CVE-2025-8088 into its operations since at least September 2025. The group is known for conducting long-term cyber espionage campaigns against Ukrainian entities and maintaining persistent access to compromised networks.
In these attacks, the vulnerability is used to deploy GammaPhish, a malicious HTML Application (HTA) file that retrieves a VBScript downloader known as GammaLoad. The downloader then delivers additional espionage tools, including GammaSteel, an information-stealing malware capable of monitoring file activity and collecting sensitive data from infected systems.
Researchers found evidence suggesting the campaign remained active through at least April 10, 2026, indicating that the vulnerability continues to provide an effective entry point into targeted environments.
Trend Micro said WinRAR remains widely used throughout Ukrainian organizations, making it an attractive target for threat actors. The researchers added that the fact multiple Russia-aligned groups are exploiting the same vulnerability highlights the persistent cyber threats facing Ukraine and the risks posed by unpatched software.
Related articles :
- Hackers Threaten to Leak Data of 8M People After Odido Breach
- FBI Warns Russian Hackers Target Signal, WhatsApp
- Critical Ollama Flaw Exposes AI Server Memory
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
