{"id":228593,"date":"2026-06-09T08:26:00","date_gmt":"2026-06-09T12:26:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/09\/winrar-flaw-exploited-by-russia-aligned-groups-to-deploy-stealers-in-ukraine\/"},"modified":"2026-06-09T09:20:53","modified_gmt":"2026-06-09T13:20:53","slug":"winrar-flaw-exploited-by-russia-aligned-groups-to-deploy-stealers-in-ukraine","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/09\/winrar-flaw-exploited-by-russia-aligned-groups-to-deploy-stealers-in-ukraine\/","title":{"rendered":"WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/winrar-flaw-exploited-by-russia-aligned.html\">WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/winrar-flaw-exploited-by-russia-aligned.html\">https:\/\/thehackernews.com\/2026\/06\/winrar-flaw-exploited-by-russia-aligned.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-09 08:26:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Jun 09, 2026Vulnerability \/ Cyber Espionage<br \/>\nTwo Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.<\/p>\n<p>The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS). It was patched by WinRAR in July 2025.<\/p>\n<p>The findings show &#8220;how unmanaged software keeps an exploited entry point open long after the fix ships,&#8221; Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said in an analysis published Monday.<\/p>\n<p>The WinRAR exploit chain exploited by SHADOW-EARTH-066 is a departure from Excel macro droppers previously used by the threat actor to deliver an information stealer called GIFTEDCROOK. The latest iteration makes use of crafted RAR archives featuring a decoy PDF document and three hidden ADS payloads that are outside the extraction directory to initiate the infection.<\/p>\n<p>This includes a Windows Shortcut (LNK) file that&#8217;s placed in the Startup folder so that it&#8217;s automatically executed every time a user logs in. This, in turn, spawns a PowerShell loader via &#8220;cmd.exe,&#8221; which then uses in-memory DLL loading to ultimately launch an updated version of GIFTEDCROOK (&#8220;result.dll&#8221;).<\/p>\n<p>The malware targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, and Opera) and Mozilla Firefox, in addition to harvesting documents matching certain extensions from the victim&#8217;s machine. Once the data is exfiltrated to an external server, all malicious artifacts are deleted to cover up the forensic trail.<\/p>\n<p>A notable change is the shift from Telegram as an exfiltration channel to dedicated command-and-control (C2) servers, a key modification that likely aligns with Russia&#8217;s blocking of the messaging platform in the country earlier this February.<\/p>\n<p>The second Russia-affiliated hacking group to weaponize CVE-2025-8088 is Earth Dahu, which has incorporated the flaw into its arsenal since at least September 2025. The adversary is known for its &#8220;industrial-scale effort&#8221; to maintain long-term access to compromised organizations.<\/p>\n<p>&#8220;Earth Dahu used the vulnerability with an HTA-to-VBScript infection chain that delivered espionage modules,&#8221; Trend Micro noted. &#8220;Based on RAR internal file timestamps and file naming conventions, the chain remained active through at least April 10, 2026.&#8221;<\/p>\n<p>These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad. The intermediate downloader subsequently delivers additional modules like GammaSteel.<\/p>\n<p>GammaLoad is &#8220;a collection of VBScripts designed to ensure continuous access and deploy payloads over time by leveraging Dead Drop Resolvers (DDR),&#8221; Sekoia said, adding it&#8217;s used to deploy a dropper that&#8217;s designed to launch a VBScript loader responsible for executing GammaSteel, a comprehensive information stealer that can monitor changes to files in real-time.<\/p>\n<p>&#8220;WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation,&#8221; Trend Micro said. &#8220;The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability reflects the scale of the cyber threats that Ukraine faces.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine https:\/\/thehackernews.com\/2026\/06\/winrar-flaw-exploited-by-russia-aligned.html Publish Date: 2026-06-09&#8230;<\/p>\n","protected":false},"author":1,"featured_media":228594,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpdAzGyUad4rioCXpoCvPwiGqto_MgCesTBLTn-1uBtWpWAXB99KN0xiE1oIqwDbVi_vkFDnn05XOxwH3WYjLkPNDykxieuftfe-wLFibGL1o8iiUuGfhiG5yYS7KXBV3gvdIYk5PFCurpn0-L77hajka35iE_a-JxWCaYeKc2Yej1gQrkcrQ61ijTm4HS\/s1600\/winrar-exploit.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,32,34,27],"class_list":["post-228593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228593"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=228593"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228593\/revisions"}],"predecessor-version":[{"id":228595,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228593\/revisions\/228595"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/228594"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=228593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=228593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=228593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}