Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: winrar (2 articles)Clear

Russia-aligned groups exploit old WinRAR flaw to hit Ukrainian targets

Trend Micro reports that at least two Russia-aligned groups, including Gamaredon, are exploiting a WinRAR flaw that was patched nearly a year ago to attack Ukrainian military and government organizations. The attacks start with emails carrying a booby-trapped RAR archive that abuses a path-traversal bug (CVE-2025-8088) to silently drop a malicious shortcut into the Windows Startup folder using NTFS Alternate Data Streams. One cluster, tracked by Ukraine's CERT-UA as UAC-0226, then installs an updated GiftedCrook stealer that grabs browser passwords, session cookies, and documents before deleting itself. The campaigns are a reminder that unpatched WinRAR remains a reliable foothold for attackers.

Check
Check the WinRAR version on Windows endpoints, and review email gateways and endpoint logs for inbound RAR archives and new shortcuts written to Startup folders via alternate data streams.
Affected
Windows systems with WinRAR versions before the CVE-2025-8088 fix, particularly organizations receiving RAR email attachments; Ukrainian government and military entities are the current targets.
Fix
Update WinRAR to the latest version that fixes CVE-2025-8088, block or sandbox inbound RAR attachments at the email gateway, and alert staff to unexpected archive lures.

Gamaredon (FSB) exploits WinRAR to deliver GammaWorm and GammaSteel against Ukraine - resilient, highly obfuscated modular RAR chain

Sekoia has documented Gamaredon - a Russian state-sponsored intrusion set officially linked to the FSB - exploiting WinRAR via booby-trapped RAR archives to deliver the GammaWorm and GammaSteel malware against Ukrainian targets. The infection chain is described as resilient, massive, and highly obfuscated with a modular design whose configurations operators can update on the fly, making reuse likely. Gamaredon has a long history of targeting Ukrainian government, military, and critical-infrastructure entities through spear-phishing with malicious attachments. The disclosure coincides with related Ukraine-focused activity by UAC-0184 (PassMark BurnInTest LNK lures), UAC-0247 (HTA droppers against drone operators), and APT28's evolving PixyNetLoader delivering a COVENANT implant via CVE-2026-21509.

Check
Hunt for malicious RAR archives and WinRAR exploitation, GammaWorm and GammaSteel indicators, and spear-phishing with RAR attachments in Ukraine-facing operations. Apply Sekoia IoCs.
Affected
Ukrainian government, military, and critical-infrastructure entities - Gamaredon's persistent FSB-linked targets. Spear-phishing with booby-trapped RAR archives delivering modular, frequently-updated payloads is the vector.
Fix
Patch WinRAR to the latest version. Block RAR attachments at the email gateway where feasible. Restrict mshta and script execution. Hunt for GammaSteel exfiltration and GammaWorm persistence.