The Attack: Old Vulnerability, New Campaigns
At least two Russia-aligned threat groups — Shadow-Earth-066 and Earth Dahu (Gamaredon) — are actively exploiting CVE-2025-8088, a high-severity WinRAR path traversal vulnerability patched nearly a year ago in July 2025. According to Trend Micro research published this week, both groups are targeting Ukrainian military and government organizations with email-based attacks that deliver malware through weaponized RAR archives.
The vulnerability allows attackers to craft malicious archive files that write files outside the intended extraction directory. Specifically, both campaigns abuse this flaw to place malicious shortcuts (LNK files) or payloads directly into Windows Startup folders using NTFS Alternate Data Streams. Once the user logs in, Windows automatically executes whatever’s in Startup — and the attacker’s payload runs.
Shadow-Earth-066 uses this technique to deploy GiftedCrook, an information stealer that harvests browser credentials, session cookies, and documents matching 35 file extensions before deleting itself. Earth Dahu takes a different approach: dropping malicious HTA files into Startup locations, which then download VBScript from command-and-control infrastructure hosted on Cloudflare Workers to load persistent espionage modules.
Different payloads, different post-exploitation chains — but identical persistence mechanism. Both campaigns rely on writing files to Windows Startup folders.
Why This Keeps Working
The article makes an important point: WinRAR doesn’t auto-update, doesn’t support Group Policy, and falls outside enterprise patch channels like WSUS, SCCM, or Intune. Verifying patch status across hundreds of endpoints requires third-party tools or manual auditing. A year after the patch, attackers are still finding vulnerable systems because patching WinRAR at scale is genuinely difficult.
Organizations that haven’t patched aren’t necessarily negligent. They’re dealing with tooling that doesn’t integrate with their existing patch management infrastructure. The “just patch it” advice ignores the operational reality.
And even if you patch WinRAR today, what about the next archive utility vulnerability? Or the next email client flaw? Signature-based detection and patch-faster strategies are always playing catch-up.
How FileSure Blocks This Attack Before Execution
FileSure Defend operates at the Windows kernel level via a filter driver that intercepts file system operations before they complete. It doesn’t need to recognize WinRAR, detect malicious archives, or maintain signatures for known threats. It simply controls which programs are allowed to perform which file operations.
Here’s a FileSure rule that would have stopped both campaigns:
File name filter: * (all files)
Program name filter: outlook.exe, thunderbird.exe, winrar.exe, 7z.exe (email clients and archive utilities)
Operations: Write, Create
Drive type: Hard drives
Path filter: C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\* and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*
Result: Block and alert
With this rule in place, when the user opens the malicious RAR archive — whether WinRAR is patched or not — and the exploit attempts to write a malicious LNK or HTA file to a Startup folder, FileSure intercepts the write operation at the kernel and blocks it. The payload never lands in the persistence location. Windows never executes it at login. The attack stops before it starts.
The article quotes Waseem Ahmed from Secure.com recommending that defenders “start by setting up an alert” on Startup folder writes. That’s the right instinct — but alerts tell you after the write completes. FileSure blocks the write and alerts at the same time.
Ahmed also suggests organizations “strip or detonate inbound archives at the mail gateway” and “remove or allowlist WinRAR where it isn’t needed.” FileSure gives you another option: let WinRAR run where it’s legitimately needed, but prevent it from writing to locations that enable persistence. You’re not guessing which endpoints have WinRAR installed or trying to audit patch status across hundreds of systems. You’re controlling what WinRAR — and every other program — is allowed to do to your file system.
The Real Fix Isn’t Just Patching
Patching CVE-2025-8088 is important. But the article makes clear that attackers are still investing in this year-old flaw because it remains cheap to exploit and enough systems remain unpatched to make the investment worthwhile. “There’s no exotic exploit to engineer and no infrastructure to stand up,” Ahmed notes. “It’s a phishing email with a booby-trapped archive.”
The barrier to weaponization is gone. And the next WinRAR vulnerability — or 7-Zip, or any other widely-deployed utility that doesn’t integrate with enterprise patch management — will have the same problem.
FileSure doesn’t replace patching. It gives you a durable control that works regardless of patch status, regardless of whether you know where WinRAR is installed, and regardless of whether the next vulnerability has been disclosed yet. Every one of these campaigns persists by writing to the Windows Startup folder. Block that write at the kernel, and the attack doesn’t matter.
Ready to see how FileSure blocks file-based attacks before they execute? Start your free 21-day trial at bystorm.com — no credit card required, full functionality, and it works on every Windows version from XP through Windows 11.
Source: Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs
Category: Ransomware
Tags: cve-2025-8088, winrar, path traversal, windows startup folder, giftedcrook, earth dahu, gamaredon, kernel filter driver
