Exploitation of a Patched Flaw
Two cyber attack campaigns linked to Russian state aligned groups are actively exploiting a path traversal vulnerability in WinRAR to target organizations in Ukraine, according to researchers at Trend Micro. The flaw allows attackers to write files outside the intended extraction directory using NTFS Alternate Data Streams, a technique that can bypass typical security controls. Despite a patch being released by WinRAR in July 2025, the vulnerability remains a favored entry point for these groups nearly a year later.
The groups identified as Earth Dahu, also known as Gamaredon, and SHADOW-EARTH-066, tracked as UAC-0226, have incorporated the exploit into their attack chains. Researchers noted that the continued use of an unpatched flaw highlights how outdated software can keep doors open for adversaries long after fixes are available.
Evolving Tactics and Payloads
For SHADOW-EARTH-066, this exploitation marks a shift from previous methods that relied on Excel macro droppers. The latest campaign uses crafted RAR archives containing a decoy PDF document and three hidden payloads stored in Alternate Data Streams. One of these payloads is a Windows Shortcut file placed in the Startup folder, ensuring automatic execution upon user login. This shortcut triggers a PowerShell loader that ultimately deploys an updated version of the GIFTEDCROOK information stealer.
The malware targets passwords and cookies from Chromium based browsers as well as Mozilla Firefox, and harvests documents with specific extensions from infected machines. After exfiltrating the data to a command and control server, the malicious artifacts are deleted to obscure forensic evidence. Notably, the group has moved away from using Telegram for exfiltration, likely due to Russia blocking the messaging platform in February 2026, and now relies on dedicated C2 servers.
Impact and Lessons
The ongoing exploitation of this WinRAR vulnerability underscores persistent cyber espionage efforts against Ukraine, with both groups adapting their methods to evade detection. The shift in exfiltration channels and the use of fileless techniques demonstrate a continuous evolution in tactics. Organizations, particularly those in conflict zones or with high value data, are urged to apply all available patches promptly and to monitor for signs of known exploit chains. The case also serves as a reminder that even widely used consumer software can become a critical security weak point if not kept up to date.
Source: The Hacker News
