Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: giftedcrook (1 article)Clear

Russia-aligned groups exploit old WinRAR flaw to hit Ukrainian targets

Trend Micro reports that at least two Russia-aligned groups, including Gamaredon, are exploiting a WinRAR flaw that was patched nearly a year ago to attack Ukrainian military and government organizations. The attacks start with emails carrying a booby-trapped RAR archive that abuses a path-traversal bug (CVE-2025-8088) to silently drop a malicious shortcut into the Windows Startup folder using NTFS Alternate Data Streams. One cluster, tracked by Ukraine's CERT-UA as UAC-0226, then installs an updated GiftedCrook stealer that grabs browser passwords, session cookies, and documents before deleting itself. The campaigns are a reminder that unpatched WinRAR remains a reliable foothold for attackers.

Check
Check the WinRAR version on Windows endpoints, and review email gateways and endpoint logs for inbound RAR archives and new shortcuts written to Startup folders via alternate data streams.
Affected
Windows systems with WinRAR versions before the CVE-2025-8088 fix, particularly organizations receiving RAR email attachments; Ukrainian government and military entities are the current targets.
Fix
Update WinRAR to the latest version that fixes CVE-2025-8088, block or sandbox inbound RAR attachments at the email gateway, and alert staff to unexpected archive lures.