Listen to this Post
Edit
Introduction
Cyber warfare rarely ends when a software vendor releases a patch. In many cases, vulnerabilities continue to fuel attacks long after security fixes become available, especially when organizations fail to update critical software across their networks. A newly documented wave of cyber espionage campaigns demonstrates exactly how dangerous this reality can be.
Security researchers have revealed that two Russia-aligned threat groups continue to exploit a WinRAR vulnerability against Ukrainian organizations nearly a year after the flaw was publicly patched. The campaigns highlight a persistent problem facing governments, businesses, and critical infrastructure operators: outdated software remains one of the easiest gateways for sophisticated threat actors.
The ongoing attacks involve the exploitation of CVE-2025-8088, a path traversal vulnerability in WinRAR that allows malicious files to be written outside the intended extraction directory using NTFS Alternate Data Streams. Although WinRAR addressed the issue in July 2025, cyber espionage operators continue to leverage unpatched systems to gain access to valuable information and maintain long-term surveillance operations inside targeted environments.
WinRAR Vulnerability Remains an Active Threat
Trend Micro researchers have identified two Russia-linked threat actors actively exploiting the vulnerability: Earth Dahu, widely known as Gamaredon, and SHADOW-EARTH-066, also tracked as UAC-0226.
The discovery highlights a troubling reality within cybersecurity. Security patches are only effective when organizations deploy them. Many institutions continue to operate outdated software versions for months or even years after fixes become available, creating a large attack surface for adversaries.
The vulnerability itself enables attackers to bypass normal extraction boundaries within WinRAR archives. Through carefully crafted archive files, malicious actors can place hidden payloads into sensitive Windows locations without the victim realizing that files have been written outside the expected extraction directory.
This technique transforms what appears to be a harmless archive into a sophisticated infection mechanism capable of establishing persistence and launching complex malware chains.
SHADOW-EARTH-066 Evolves Beyond Traditional Macro Attacks
One of the most significant findings involves the operational evolution of SHADOW-EARTH-066.
Historically, the group relied heavily on Microsoft Excel macro-based infection chains to distribute malware. However, researchers observed a strategic shift toward exploiting the WinRAR vulnerability instead.
The attack begins with a specially crafted RAR archive that contains a legitimate-looking PDF document designed to deceive victims. Hidden within the archive are multiple malicious payloads stored through Alternate Data Streams.
When extracted on vulnerable systems, these hidden components bypass normal user expectations and quietly establish persistence mechanisms.
A malicious Windows shortcut file is secretly deployed into the Startup folder, ensuring automatic execution every time the victim logs into Windows. This persistence mechanism serves as the first stage of a larger malware deployment framework.
The shortcut launches a command shell process, which subsequently triggers a PowerShell-based loader. The loader performs in-memory execution techniques that reduce forensic visibility and ultimately launches an updated version of the GIFTEDCROOK information stealer.
GIFTEDCROOK Expands Intelligence Collection Capabilities
The latest GIFTEDCROOK variant demonstrates a mature approach to intelligence gathering.
The malware systematically targets stored passwords and browser cookies from popular web browsers including Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox.
Access to browser credentials can provide attackers with entry into email accounts, internal portals, cloud services, and sensitive enterprise systems.
Beyond credential theft, the malware actively searches for documents matching predefined file extensions. This allows operators to identify and exfiltrate potentially valuable intelligence, including government communications, operational plans, internal reports, and strategic documents.
After completing data theft operations, the malware removes traces of its activity by deleting malicious artifacts from the infected system. Such anti-forensic measures complicate incident response investigations and delay attribution efforts.
The Shift Away From Telegram Infrastructure
A particularly interesting development involves the threat
Previous versions of the operation reportedly relied on Telegram as a channel for data exfiltration and operational communication. Researchers now observe a migration toward dedicated command-and-control infrastructure.
This transition likely reflects changing geopolitical and technological conditions.
As restrictions and controls surrounding Telegram evolved within Russia, operators appear to have invested in custom infrastructure that provides greater operational security, flexibility, and resilience against disruption.
Dedicated command-and-control servers also offer attackers improved control over data handling, tasking, and campaign management.
Earth Dahu Continues Long-Term Espionage Operations
The second threat actor identified in the campaigns is Earth Dahu, one of the most persistent cyber espionage groups operating against Ukrainian targets.
Researchers indicate that the group has been weaponizing CVE-2025-8088 since at least September 2025.
Earth Dahu has built a reputation for maintaining long-term access within compromised environments. Unlike financially motivated cybercriminals seeking quick profits, espionage operators prioritize persistence, surveillance, and intelligence collection over extended periods.
The
Evidence suggests these operations remained active through at least April 2026, demonstrating sustained commitment to intelligence collection.
GammaPhish and GammaLoad Strengthen the Infection Framework
Recent investigations have also connected the attacks to the deployment of GammaPhish.
GammaPhish serves as an HTML Application-based delivery mechanism that retrieves an intermediary downloader known as GammaLoad.
GammaLoad functions as a sophisticated collection of VBScript modules responsible for maintaining persistent access and deploying additional payloads when needed.
One notable feature involves the use of Dead Drop Resolvers. These mechanisms allow operators to dynamically retrieve instructions and infrastructure information, making defensive disruption efforts considerably more difficult.
The modular design enables attackers to update capabilities without requiring complete reinfection of compromised systems.
This flexibility represents a hallmark of modern state-sponsored cyber operations.
GammaSteel Introduces Advanced Monitoring Functions
The final stage of the infection chain frequently involves the deployment of GammaSteel.
GammaSteel is not merely a traditional information stealer. It incorporates advanced monitoring functions capable of observing file system activity in real time.
Such capabilities provide threat actors with continuous visibility into victim behavior, document creation, modification events, and potentially sensitive organizational workflows.
This level of monitoring allows intelligence operators to collect information precisely when it becomes available rather than relying solely on periodic data theft.
The result is a more comprehensive surveillance capability capable of supporting broader intelligence objectives.
Why Ukrainian Organizations Remain a Prime Target
Ukraine continues to face one of the most aggressive cyber threat environments in the world.
Government agencies, military organizations, critical infrastructure providers, educational institutions, and private businesses remain under constant pressure from state-sponsored threat actors.
WinRAR’s widespread adoption across Ukrainian organizations increases its attractiveness as an exploitation target. Because employees routinely exchange compressed archives, malicious files can blend naturally into everyday business workflows.
Attackers understand that trusted and commonly used software often provides the most effective avenue for initial compromise.
The convergence of multiple Russian-linked groups around the same vulnerability demonstrates how valuable the flaw remains despite the availability of security updates.
Deep Analysis: Why Patch Management Continues to Fail
One of the most important lessons from these campaigns is that vulnerability management remains a human and organizational challenge rather than a purely technical one.
Many organizations possess security tools capable of identifying outdated software but lack effective processes to ensure remediation.
Security teams frequently face competing priorities, resource constraints, legacy applications, and operational concerns that delay updates.
From a defensive perspective, administrators should continuously audit software inventories and verify update status across endpoints.
Common Linux commands used during vulnerability management and asset visibility include:
Asset Discovery
uname -a
hostnamectl
lsb_release -a
Package Verification
dpkg -l rpm -qa apt list --installed
Security Updates
sudo apt update sudo apt upgrade sudo dnf update
File Integrity Monitoring
find / -mtime -7 stat filename sha256sum filename
Network Investigation
ss -tulpn netstat -an lsof -i
Log Analysis
journalctl -xe tail -f /var/log/syslog grep -i error /var/log/
Organizations that combine asset visibility, patch management, threat hunting, and incident response significantly reduce the likelihood that year-old vulnerabilities remain exploitable.
What Undercode Say:
The most revealing aspect of this campaign is not the sophistication of the malware itself.
The real story is operational persistence.
A vulnerability patched months earlier continues generating successful compromises.
That indicates patch management failures remain widespread.
State-backed actors understand this reality better than many defenders.
Instead of constantly searching for zero-day vulnerabilities, they often maximize value from known flaws.
The economics of cyber espionage favor reliability.
A known vulnerability with a high success rate is frequently more valuable than an expensive zero-day exploit.
The migration from Telegram to dedicated infrastructure also signals operational maturity.
Threat actors are adapting to geopolitical and technical restrictions.
This demonstrates flexibility in command-and-control architecture.
Earth
Its focus is not disruption.
Its objective is visibility.
The GammaLoad framework shows how modular malware ecosystems are becoming increasingly common.
Each component serves a specialized function.
This separation improves resilience.
Even if one module is detected, operators can replace or modify individual stages.
The use of Dead Drop Resolvers deserves particular attention.
These mechanisms complicate infrastructure takedowns.
Traditional blocklists become less effective.
Defenders must monitor behavioral indicators rather than relying solely on static signatures.
The campaign also highlights the strategic importance of browsers.
Modern browsers contain passwords, tokens, cookies, and authentication data.
Compromising browser storage frequently eliminates the need for password cracking.
Session theft can be enough.
Real-time monitoring capabilities introduced through GammaSteel elevate the threat.
This is no longer simple credential harvesting.
It becomes active intelligence collection.
The focus on Ukrainian organizations aligns with broader geopolitical objectives.
Cyber operations increasingly complement traditional intelligence activities.
Information gathered through these campaigns may support military, political, or strategic decision-making.
Defenders should recognize that exploitation of archived file formats remains a highly effective attack vector.
Users trust ZIP and RAR files.
Attackers know this.
Software inventory management should become a board-level discussion.
The existence of a patch does not equal security.
Only deployment creates protection.
The continuing success of these campaigns proves that threat actors often win not because defenses are weak, but because updates are delayed.
✅ WinRAR vulnerability CVE-2025-8088 was reported as actively exploited despite a publicly available patch.
✅ Researchers linked exploitation activity to both Earth Dahu (Gamaredon) and SHADOW-EARTH-066 targeting Ukrainian organizations.
✅ Malware families including GIFTEDCROOK, GammaLoad, GammaPhish, and GammaSteel were observed within the documented attack chains, supporting the assessment that these operations focus on espionage and long-term intelligence collection rather than immediate financial gain.
Prediction
(+1) Ukrainian organizations will accelerate software inventory audits and vulnerability management programs, reducing exposure to older exploitation techniques.
(+1) Security vendors will expand behavioral detection capabilities focused on Alternate Data Streams, in-memory loaders, and persistence mechanisms used in archive-based attacks.
(+1) Greater international intelligence sharing will improve attribution and tracking of long-running Russian cyber espionage campaigns.
(-1) Threat actors will continue targeting organizations that delay software updates, extending the lifespan of vulnerabilities far beyond official patch release dates.
(-1) Modular malware frameworks such as GammaLoad and GammaSteel will become more sophisticated and harder to disrupt through conventional security controls.
(-1) State-sponsored cyber operations targeting Ukraine are likely to remain active, adapting infrastructure and delivery methods as defenders improve detection capabilities.
▶️ Related Video (64% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
