WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer
Russian hackers are exploiting a known flaw in WinRAR to quietly steal passwords, session cookies, and sensitive files from Ukrainian organizations.
The vulnerability, tracked as CVE-2025-8088, was patched in July 2025, yet multiple Russia-aligned groups are still weaponizing it nearly a year later. This proves that unpatched software remains one of the most reliable entry points for determined attackers.
Two separate intrusion sets are working independently but targeting the same flaw. The first, designated SHADOW-EARTH-066 and tracked by CERT-UA as UAC-0226, has been deploying an updated version of its GIFTEDCROOK information stealer.
The second is Earth Dahu, also known as Gamaredon, one of the most active Russia-aligned groups targeting Ukraine since at least 2013. Both continued producing new exploit samples through at least April 2026.
Analysts at Trend Micro said in a report shared with Cyber Security News (CSN) that both campaigns exploit CVE-2025-8088 through malicious RAR archives delivered via spear-phishing emails.
When a target opens the archive with an older WinRAR version, a decoy PDF appears on screen while hidden files are silently dropped into the Windows Startup folder. No warning appears, and on the next login, the payload chain executes automatically.
SHADOW-EARTH-066 has targeted Ukrainian military innovation centers, law enforcement agencies, and local government bodies near Ukraine’s eastern border.
Earth Dahu used the same flaw to deliver espionage tools through HTML Application files loaded via Cloudflare Workers. Despite using different toolsets, both groups relied on the same unpatched entry point.
Other Russia-linked actors, including Sandworm, Turla, and Void Rabisu, have also exploited this same vulnerability.
The continued abuse of a patched flaw highlights a critical gap: WinRAR does not support automatic updates or standard enterprise patch channels, making it easy for organizations to leave vulnerable versions running undetected.
WinRAR Vulnerability Exploited by Russian Hackers
CVE-2025-8088 is a path traversal flaw rated CVSS 8.4 that allows an attacker to silently write files outside the extraction directory using NTFS Alternate Data Streams.
The archives contain a visible decoy PDF alongside three hidden payloads, dropping an LNK shortcut into the Startup folder, a PowerShell loader into C:ProgramData, and an encoded DLL into the same location.
On the next login, the LNK triggers a nested PowerShell session that decodes and loads the final payload entirely in memory using direct NT system calls, bypassing common API hooks.
The payload is a DLL internally named result.dll, the evolved form of GIFTEDCROOK. It targets Chrome, Edge, Opera, and Firefox, stealing passwords, session cookies, and master decryption keys, while scanning for files across 35 extensions including spreadsheets, email files, and KeePass databases.
Stolen data is encrypted using dual-layer RC4 and sent over HTTPS to dedicated command-and-control servers. After exfiltration, the malware deletes all staging files and removes its Startup entry, leaving almost no trace on the compromised system.
GIFTEDCROOK Evolves Into a Harder-to-Detect Threat
The original GIFTEDCROOK, documented in April 2025, was a standalone executable that sent stolen credentials through a hardcoded Telegram bot with plaintext tokens.
By February 2026, SHADOW-EARTH-066 had shifted to the WinRAR exploit chain and replaced Telegram with encrypted HTTPS communication pointing to C&C servers across France, the Netherlands, and Switzerland.
The update also added a Chrome App-Bound Encryption bypass, showing the developer is actively tracking browser security changes.
The PowerShell loaders are heavily obfuscated with random function names, junk comment lines, and sleep delays to evade sandbox analysis. The encoded DLL is never written to disk in decoded form, making file-based detection of the final payload very difficult.
Security teams should immediately verify WinRAR versions across all endpoints and deploy version 7.13 or later.
Organizations should hunt for LNK or HTA files with randomized names in the Startup folder, check C:ProgramData for short alphanumeric files like KKN or ND8, and block known C&C IP addresses at the network perimeter.
For any confirmed compromise, saved browser credentials and active sessions should be rotated, and multi-factor authentication should be enabled on all critical accounts.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 166[.]0[.]132[.]237 | SHADOW-EARTH-066 C&C server (port 7044) |
| IP Address | 136[.]0[.]141[.]41 | SHADOW-EARTH-066 C&C server (port 9580) |
| IP Address | 136[.]0[.]141[.]138 | SHADOW-EARTH-066 C&C server (port 8406) |
| IP Address | 38[.]225[.]209[.]229 | SHADOW-EARTH-066 C&C server (port 9623) |
| IP Address | 136[.]0[.]141[.]112 | SHADOW-EARTH-066 C&C server (port 9200) |
| IP Address | 38[.]225[.]209[.]122 | SHADOW-EARTH-066 C&C server (port 8009) |
| IP Address | 23[.]26[.]237[.]80 | SHADOW-EARTH-066 C&C server (port 8941) |
| IP Address | 194[.]58[.]66[.]82 | Earth Dahu attacker-controlled domain host (BaxetGroup Inc., AS26383) |
| IP Address | 5[.]9[.]241[.]27 | Earth Dahu relay server (Hetzner, Germany) |
| File Hash (SHA-256) | 3d37 1ef7 1e40 c34a 75c1 68d4 64d4 7db0 96f3 864 99d9 9aa8 8d4e 16b6 3cd4 acda 25 | RAR archive sample analyzed in SHADOW-EARTH-066 campaign |
| File Name | result.dll | Final GIFTEDCROOK payload DLL (exports single function: Func) |
| File Name | KKN | PowerShell loader script dropped to C:ProgramData |
| File Name | ND8 | SUB-encoded DLL payload dropped to C:ProgramData |
| File Name | U0U, YDV, NdV, QB5k, uaP, WnX, wq_, Arj, O5f | Additional staging file names observed in C:ProgramData |
| Domain | astrocafe[.]com | Attacker-controlled sending domain used by Earth Dahu (registered via reg.ru, Dec 18 2025) |
| User-Agent | libcurl/8.14.0-DEV | Network indicator: HTTP/HTTPS traffic used by result.dll during C&C communication |
| URI Path | /rcv/ | C&C exfiltration endpoint path shared across all SHADOW-EARTH-066 servers |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news