WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine

Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an

According to Trend Micro and The Hacker News, Russia-aligned groups Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226) are still exploiting the WinRAR path traversal vulnerability CVE-2025-8088 nearly a year after it was patched, using malicious RAR archives with decoy PDFs to drop stealers and espionage tooling on Ukrainian targets.[1][2] These attacks succeed because many endpoints run outdated WinRAR without auto-update, leaving a persistent software supply-chain-style exposure in the user application stack.[2][4] From a CyberSE.AI perspective, any AI workflows or agents that rely on local file handling, document ingestion, or user-provided archives can inherit this legacy vulnerability if running on compromised endpoints, turning malicious archives into a pivot point for data theft from AI-accessible files and credentials. Organizations should treat unmanaged client software like WinRAR as part of their broader AI supply chain, using SBOM-driven asset visibility, patch governance, and hardening guidance to ensure AI-related hosts and data pipelines are not exposed through old third-party tools.