WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer
Russian threat actors are exploiting CVE-2025-8088, a path traversal flaw in WinRAR, to deploy the GIFTEDCROOK information stealer against Ukrainian organizations.
Russian hackers are exploiting a known flaw in WinRAR to quietly steal passwords, session cookies, and sensitive files from Ukrainian organizations. The vulnerability, tracked as CVE-2025-8088, was patched in July 2025, yet multiple Russia-aligned groups are still weaponizing it nearly a year later. This proves that unpatched software remains one of the most reliable entry points for determined attackers.
Two separate intrusion sets are working independently but targeting the same flaw. The first, designated SHADOW-EARTH-066 and tracked by CERT-UA as UAC-0226, has been deploying an updated version of its GIFTEDCROOK information stealer. The second is Earth Dahu, also known as Gamaredon, one of the most active Russia-aligned groups targeting Ukraine since at least 2013. Both continued producing new exploit samples through at least April 2026.
Analysts at Trend Micro said in a report shared with Cyber Security News that both campaigns exploit CVE-2025-8088 through malicious RAR archives delivered via spear-phishing emails. When a target opens the archive with an older WinRAR version, a decoy PDF appears on screen while hidden files are silently dropped into the Windows Startup folder. No warning appears, and on the next login, the payload chain executes automatically.
SHADOW-EARTH-066 has targeted Ukrainian military innovation centers, law enforcement agencies, and local government bodies near Ukraine's eastern border. Earth Dahu used the same flaw to deliver espionage tools through HTML Application files loaded via Cloudflare Workers. Despite using different toolsets, both groups relied on the same unpatched entry point. Other Russia-linked actors, including Sandworm, Turla, and Void Rabisu, have also exploited this same vulnerability.
CVE-2025-8088 is a path traversal flaw rated CVSS 8.4 that allows an attacker to silently write files outside the extraction directory using NTFS Alternate Data Streams. The archives contain a visible decoy PDF alongside three hidden payloads, dropping an LNK shortcut into the Startup folder, a PowerShell loader into C:\ProgramData, and an encoded DLL into the same location. On the next login, the LNK triggers a nested PowerShell session that decodes and loads the final payload entirely in memory using direct NT system calls, bypassing common API hooks.
The payload is a DLL internally named result.dll, the evolved form of GIFTEDCROOK. It targets Chrome, Edge, Opera, and Firefox, stealing passwords, session cookies, and master decryption keys, while scanning for files across 35 extensions including spreadsheets, email files, and KeePass databases. Stolen data is encrypted using dual-layer RC4 and sent over HTTPS to dedicated command-and-control servers. After exfiltration, the malware deletes all staging files and removes its Startup entry, leaving almost no trace on the compromised system.
The original GIFTEDCROOK, documented in April 2025, was a standalone executable that sent stolen credentials through a hardcoded Telegram bot with plaintext tokens. By February 2026, SHADOW-EARTH-066 had shifted to the WinRAR exploit chain and replaced Telegram with encrypted HTTPS communication pointing to C&C servers across France, the Netherlands, and Switzerland. The update also added a Chrome App-Bound Encryption bypass, showing the developer is actively tracking browser security changes. Security teams should immediately verify WinRAR versions across all endpoints and deploy version 7.13 or later.