Threats

WinRAR Vulnerability Exploited by Russians Deploying GIFT

Russian threat actors are actively leveraging a known WinRAR vulnerability to quietly steal passwords, session cookies, and sensitive files from Ukrainian organizations. The vulnerability, tracked as...

Marcus Rodriguez
Marcus Rodriguez
June 15, 2026 4 Min Read
2 0

Russian threat actors are actively leveraging a known WinRAR vulnerability to quietly steal passwords, session cookies, and sensitive files from Ukrainian organizations.

The vulnerability, tracked as CVE-2025-8088, was patched in July 2025, yet multiple Russia-aligned groups are still weaponizing it nearly a year later. This proves that unpatched software remains one of the most reliable entry points for determined attackers.

Two separate intrusion sets are working independently but targeting the same flaw. The first, designated SHADOW-EARTH-066 and tracked by CERT-UA as UAC-0226, has been deploying an updated version of its GIFTEDCROOK information stealer.

The second is Earth Dahu, also known as Gamaredon, one of the most active Russia-aligned groups targeting Ukraine since at least 2013. Both continued producing new exploit samples through at least April 2026.

Analysts at Trend Micro said in a report shared with Cyber Security News (CSN) that both campaigns exploit CVE-2025-8088 through malicious RAR archives delivered via spear-phishing emails.

When a target opens the archive with an older WinRAR version, a decoy PDF appears on screen while hidden files are silently dropped into the Windows Startup folder. No warning appears, and on the next login, the payload chain executes automatically.

SHADOW-EARTH-066 has targeted Ukrainian military innovation centers, law enforcement agencies, and local government bodies near Ukraine’s eastern border.

Earth Dahu used the same flaw to deliver espionage tools through HTML Application files loaded via Cloudflare Workers. Despite using different toolsets, both groups relied on the same unpatched entry point.

Other Russia-linked actors, including Sandworm, Turla, and Void Rabisu, have also exploited this same vulnerability.

The continued abuse of a patched flaw highlights a critical gap: WinRAR does not support automatic updates or standard enterprise patch channels, making it easy for organizations to leave vulnerable versions running undetected.

WinRAR Vulnerability Exploited by Russian Hackers

CVE-2025-8088 is a path traversal flaw rated CVSS 8.4 that allows an attacker to silently write files outside the extraction directory using NTFS Alternate Data Streams.

The archives contain a visible decoy PDF alongside three hidden payloads, dropping an LNK shortcut into the Startup folder, a PowerShell loader into C:ProgramData, and an encoded DLL into the same location.

On the next login, the LNK triggers a nested PowerShell session that decodes and loads the final payload entirely in memory using direct NT system calls, bypassing common API hooks.

The payload is a DLL internally named result.dll, the evolved form of GIFTEDCROOK. It targets Chrome, Edge, Opera, and Firefox, stealing passwords, session cookies, and master decryption keys, while scanning for files across 35 extensions including spreadsheets, email files, and KeePass databases.

SHADOW-EARTH-066 attack chain from CVE-2025-8088 exploitation to HTTPS exfiltration (Source - Trend Micro)
SHADOW-EARTH-066 attack chain from CVE-2025-8088 exploitation to HTTPS exfiltration (Source – Trend Micro)

Stolen data is encrypted using dual-layer RC4 and sent over HTTPS to dedicated command-and-control servers. After exfiltration, the malware deletes all staging files and removes its Startup entry, leaving almost no trace on the compromised system.

GIFTEDCROOK Evolves Into a Harder-to-Detect Threat

The original GIFTEDCROOK, documented in April 2025, was a standalone executable that sent stolen credentials through a hardcoded Telegram bot with plaintext tokens.

By February 2026, SHADOW-EARTH-066 had shifted to the WinRAR exploit chain and replaced Telegram with encrypted HTTPS communication pointing to C&C servers across France, the Netherlands, and Switzerland.

The update also added a Chrome App-Bound Encryption bypass, showing the developer is actively tracking browser security changes.

The PowerShell loaders are heavily obfuscated with random function names, junk comment lines, and sleep delays to evade sandbox analysis. The encoded DLL is never written to disk in decoded form, making file-based detection of the final payload very difficult.

Security teams should immediately verify WinRAR versions across all endpoints and deploy version 7.13 or later.

Organizations should hunt for LNK or HTA files with randomized names in the Startup folder, check C:ProgramData for short alphanumeric files like KKN or ND8, and block known C&C IP addresses at the network perimeter.

For any confirmed compromise, saved browser credentials and active sessions should be rotated, and multi-factor authentication should be enabled on all critical accounts.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 166[.]0[.]132[.]237 SHADOW-EARTH-066 C&C server (port 7044)
IP Address 136[.]0[.]141[.]41 SHADOW-EARTH-066 C&C server (port 9580)
IP Address 136[.]0[.]141[.]138 SHADOW-EARTH-066 C&C server (port 8406)
IP Address 38[.]225[.]209[.]229 SHADOW-EARTH-066 C&C server (port 9623)
IP Address 136[.]0[.]141[.]112 SHADOW-EARTH-066 C&C server (port 9200)
IP Address 38[.]225[.]209[.]122 SHADOW-EARTH-066 C&C server (port 8009)
IP Address 23[.]26[.]237[.]80 SHADOW-EARTH-066 C&C server (port 8941)
IP Address 194[.]58[.]66[.]82 Earth Dahu attacker-controlled domain host (BaxetGroup Inc., AS26383)
IP Address 5[.]9[.]241[.]27 Earth Dahu relay server (Hetzner, Germany)
File Hash (SHA-256) 3d37 1ef7 1e40 c34a 75c1 68d4 64d4 7db0 96f3 864 99d9 9aa8 8d4e 16b6 3cd4 acda 25 RAR archive sample analyzed in SHADOW-EARTH-066 campaign
File Name result.dll Final GIFTEDCROOK payload DLL (exports single function: Func)
File Name KKN PowerShell loader script dropped to C:ProgramData
File Name ND8 SUB-encoded DLL payload dropped to C:ProgramData
File Name U0U, YDV, NdV, QB5k, uaP, WnX, wq_, Arj, O5f Additional staging file names observed in C:ProgramData
Domain astrocafe[.]com Attacker-controlled sending domain used by Earth Dahu (registered via reg.ru, Dec 18 2025)
User-Agent libcurl/8.14.0-DEV Network indicator: HTTP/HTTPS traffic used by result.dll during C&C communication
URI Path /rcv/ C&C exfiltration endpoint path shared across all SHADOW-EARTH-066 servers

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerMalwarePatchphishingSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts