Russian Hackers Exploit WinRAR Flaw to Steal Data from Ukrainian Organizations
Russian cyber threat groups are actively exploiting a patched WinRAR vulnerability (CVE-2025-8088) to infiltrate Ukrainian organizations, stealing passwords, session cookies, and sensitive files. Despite the flaw being fixed in July 2025, multiple Russia-aligned hacking collectives including SHADOW-EARTH-066 (UAC-0226) and Earth Dahu (Gamaredon) continue to weaponize it as recently as April 2026.
The attacks begin with spear-phishing emails containing malicious RAR archives. When opened with an outdated WinRAR version, the exploit silently drops hidden payloads into the Windows Startup folder while displaying a decoy PDF. Upon the next login, the malware executes automatically, deploying an evolved version of the GIFTEDCROOK information stealer.
SHADOW-EARTH-066 has targeted Ukrainian military innovation centers, law enforcement, and local governments near the eastern border. Earth Dahu, active since at least 2013, delivers espionage tools via HTML Application (HTA) files hosted on Cloudflare Workers. Both groups exploit the same unpatched entry point, though their toolsets differ.
The malware, internally named result.dll, extracts data from Chrome, Edge, Opera, and Firefox including passwords, session cookies, and master decryption keys while scanning for files with 35 extensions (e.g., spreadsheets, email files, KeePass databases). Stolen data is encrypted with dual-layer RC4 and exfiltrated over HTTPS to command-and-control (C&C) servers in France, the Netherlands, and Switzerland. After exfiltration, the malware removes staging files and Startup entries, minimizing forensic traces.
GIFTEDCROOK’s evolution highlights increased sophistication: earlier versions used Telegram bots with plaintext tokens, while the current variant employs encrypted HTTPS communication and a Chrome App-Bound Encryption bypass. PowerShell loaders are heavily obfuscated to evade detection, and the final payload never writes decoded files to disk.
Other Russia-linked groups, including Sandworm, Turla, and Void Rabisu, have also exploited this vulnerability. The persistent abuse underscores a critical gap: WinRAR lacks automatic updates or enterprise patch management, leaving organizations vulnerable if manual updates are overlooked.
Indicators of compromise (IoCs) include LNK or HTA files in the Startup folder, short alphanumeric files (e.g., KKN, ND8) in C:\ProgramData, and connections to C&C servers such as 166[.]0[.]132[.]237 (port 7044) and 194[.]58[.]66[.]82. The malicious RAR archive sample analyzed has a SHA-256 hash of 3d371ef71e40c34a75c168d464d47db096f386499d99aa88d4e16b63cd4acda25.
Source: https://cybersecuritynews.com/winrar-vulnerability-exploited-by-russian-hackers/
BRAVE1 cybersecurity rating report: https://www.rankiteo.com/company/brave1ukraine
Association of Ukrainian Defense Manufacturers cybersecurity rating report: https://www.rankiteo.com/company/association-of-ukrainian-defense-manufacturers
Ministry of Internal Affairs of Ukraine cybersecurity rating report: https://www.rankiteo.com/company/ministry-of-internal-affairs-of-ukraine
"id": "BRAASSMIN1781511853",
"linkid": "brave1ukraine, association-of-ukrainian-defense-manufacturers, ministry-of-internal-affairs-of-ukraine",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Defense',
'location': 'Ukraine',
'name': 'Ukrainian military innovation centers',
'type': 'Government/Military'},
{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'Ukrainian law enforcement',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'Local governments near the eastern border',
'type': 'Government'}],
'attack_vector': ['Spear-phishing emails', 'Malicious RAR archives'],
'data_breach': {'data_encryption': 'Dual-layer RC4',
'data_exfiltration': True,
'file_types_exposed': ['.xls', '.xlsx', '.eml', '.kdbx'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Passwords',
'Session cookies',
'Master decryption keys',
'Files (spreadsheets, email '
'files, KeePass databases)']},
'date_detected': '2026-04',
'description': 'Russian cyber threat groups are actively exploiting a patched '
'WinRAR vulnerability (CVE-2025-8088) to infiltrate Ukrainian '
'organizations, stealing passwords, session cookies, and '
'sensitive files. The attacks involve spear-phishing emails '
'with malicious RAR archives that drop hidden payloads into '
'the Windows Startup folder, deploying an evolved version of '
'the GIFTEDCROOK information stealer.',
'impact': {'data_compromised': 'Passwords, session cookies, master decryption '
'keys, files with 35 extensions (e.g., '
'spreadsheets, email files, KeePass databases)',
'identity_theft_risk': 'High',
'systems_affected': 'Windows systems with outdated WinRAR '
'versions'},
'initial_access_broker': {'entry_point': 'Spear-phishing emails with '
'malicious RAR archives',
'high_value_targets': ['Ukrainian military '
'innovation centers',
'Law enforcement',
'Local governments']},
'investigation_status': 'Ongoing',
'lessons_learned': 'WinRAR lacks automatic updates or enterprise patch '
'management, leaving organizations vulnerable if manual '
'updates are overlooked. The evolution of GIFTEDCROOK '
'highlights increased sophistication in malware '
'communication and evasion techniques.',
'motivation': 'Cyber espionage, Data exfiltration',
'post_incident_analysis': {'corrective_actions': ['Patch WinRAR to the latest '
'version',
'Implement endpoint '
'detection and response '
'(EDR) solutions',
'Enhance email security to '
'block malicious '
'attachments',
'Conduct regular security '
'awareness training'],
'root_causes': 'Exploitation of unpatched WinRAR '
'vulnerability (CVE-2025-8088), '
'lack of automatic updates for '
'WinRAR, and sophisticated malware '
'evasion techniques'},
'recommendations': ['Ensure WinRAR is updated to the latest version',
'Monitor for indicators of compromise (IoCs) such as '
'LNK/HTA files in Startup folder and connections to known '
'C&C servers',
'Implement enhanced monitoring for obfuscated PowerShell '
'scripts and unusual HTTPS traffic',
'Educate employees on spear-phishing risks and safe '
'handling of email attachments'],
'references': [{'source': 'Cyber Incident Report'}],
'threat_actor': ['SHADOW-EARTH-066 (UAC-0226)',
'Earth Dahu (Gamaredon)',
'Sandworm',
'Turla',
'Void Rabisu'],
'title': 'Russian Hackers Exploit WinRAR Flaw to Steal Data from Ukrainian '
'Organizations',
'type': 'Cyber Espionage, Data Theft',
'vulnerability_exploited': 'CVE-2025-8088 (WinRAR vulnerability)'}