### Unpatched Software: A Persistent Gateway for Cyber Espionage Almost a year after a critical security flaw in **WinRAR** was patched, Russia-aligned threat actors continue to actively exploit it in campaigns targeting Ukrainian entities. This ongoing activity underscores a significant challenge for IT security professionals: the enduring risk posed by unmanaged and unpatched software, even when fixes are readily available. The vulnerability in question, identified as **CVE-2025-8088**, is a path traversal flaw. It allows attackers to write files outside the intended extraction directory using **NTFS Alternate Data Streams (ADS)**. **WinRAR** released a patch for this vulnerability in July 2025, yet its exploitation persists. "The findings show how unmanaged software keeps an exploited entry point open long after the fix ships," noted **Trend Micro** researchers Hiroyuki Kakara and Feike Hacquebord in their recent analysis.  ### SHADOW-EARTH-066's Evolving Attack Chain One of the groups leveraging **CVE-2025-8088** is **SHADOW-EARTH-066**. This group has reportedly shifted its tactics, moving away from previous Excel macro droppers to a new **WinRAR** exploit chain. The updated method involves specially crafted RAR archives that contain a decoy PDF document alongside three hidden **ADS** payloads. These payloads are designed to be placed outside the standard extraction directory, initiating the infection process. The infection chain includes a Windows Shortcut (LNK) file strategically placed in the Startup folder, ensuring its execution upon user login. This triggers a PowerShell loader via `cmd.exe`, which then utilizes in-memory DLL loading to deploy an updated version of the information stealer malware known as **GIFTEDCROOK** (specifically, "result.dll"). **GIFTEDCROOK** targets sensitive data, including passwords and cookies from popular Chromium-based browsers (Google Chrome, **Microsoft** Edge, Opera) and Mozilla Firefox. It also harvests documents matching specific file extensions from the compromised machine. After exfiltrating the stolen data to an external server, the malware meticulously deletes malicious artifacts to obscure its tracks. A notable change in this iteration is the shift from Telegram to dedicated command-and-control (C2) servers for data exfiltration, a modification likely influenced by Russia's blocking of Telegram earlier this year.  ### Earth Dahu's "Industrial-Scale" Espionage Efforts Another Russia-affiliated hacking group exploiting **CVE-2025-8088** is **Earth Dahu** (aka **Gamaredon**), which has incorporated the flaw into its arsenal since at least September 2025. This adversary is known for its "industrial-scale effort" aimed at maintaining long-term access to compromised organizations. **Trend Micro**'s research indicates that **Earth Dahu** utilizes the vulnerability within an HTA-to-VBScript infection chain to deliver various espionage modules. This chain remained active through at least April 10, 2026. These attacks, also documented by **Sekoia**, lead to the deployment of **GammaPhish**, an HTML Application (HTA). **GammaPhish** then retrieves a VBScript downloader named **GammaLoad**. **GammaLoad** is described by **Sekoia** as "a collection of VBScripts designed to ensure continuous access and deploy payloads over time by leveraging Dead Drop Resolvers (DDR)." This intermediate downloader subsequently delivers additional modules, including **GammaSteel**, a comprehensive information stealer capable of monitoring file changes in real-time. ### Broader Implications for Cybersecurity **Trend Micro** highlights that **WinRAR**'s widespread use across Ukrainian organizations makes it an appealing target for exploitation. The convergence of both established state-backed groups and independently tracked clusters on a single, already patched vulnerability underscores the persistent and evolving nature of the cyber threats faced by Ukraine. This scenario serves as a stark reminder for IT security professionals globally about the critical importance of timely patching and robust software management practices to mitigate known vulnerabilities.