Gamaredon Exploits WinRAR CVE-2025-8088 to Target Ukraine

The Russian-linked threat actor known as Gamaredon (also tracked as Primitive Bear or ACTINIUM) has intensified its cyber offensive against Ukraine by weaponizing a recently discovered path traversal flaw in WinRAR. According to The Hacker News, the APT is utilizing CVE-2025-8088 to deliver a multi-stage malware payload designed for espionage and lateral movement. This campaign demonstrates the group’s agility in adopting publicly disclosed vulnerabilities to maintain their high-tempo Phishing operations against the Ukrainian public sector.

Technical Analysis of CVE-2025-8088 Weaponization

The attack begins with the delivery of a weaponized WinRAR archive, often distributed through spear-phishing emails. The vulnerability, CVE-2025-8088, is a path traversal issue that allows an attacker to manipulate the file extraction process. By crafting a malicious archive, Gamaredon can force WinRAR to write files to arbitrary locations on the file system, bypassing intended security boundaries.

Security researchers have focused on how to detect CVE-2025-8088 exploit attempts by monitoring for unusual file write operations originating from the WinRAR process (winrar.exe), particularly those targeting the Windows Startup folder or other persistence mechanisms. Once the user opens the archive, the vulnerability triggers the execution of a malicious HTML Application (HTA) payload, internally dubbed GammaPhish. This HTA file serves as the initial access vector, establishing a connection to a remote C2 server to fetch subsequent stages of the attack.

Malware Lifecycle: GammaWorm and GammaSteel

Following the successful execution of GammaPhish, the APT deploys two primary malware families: GammaWorm and GammaSteel. GammaWorm is a VBScript-based worm designed for initial reconnaissance and self-propagation across removable drives. It ensures persistence on the infected host by modifying registry keys and scheduled tasks, which is a standard TTP for this actor.

GammaSteel, on the other hand, is the primary data exfiltration tool. This custom malware is capable of stealing sensitive documents, capturing screenshots, and harvesting credentials from web browsers. The Gamaredon targeted sector Ukraine malware delivery pipeline is highly automated, allowing the group to cycle through multiple C2 domains and IP addresses to evade traditional signature-based detection. Defenders should map these activities to the MITRE ATT&CK framework, specifically focusing on T1204.002 (User Execution: Malicious File) and T1037 (Boot or Logon Initialization Scripts).

WinRAR Path Traversal Vulnerability Mitigation

To defend against this campaign, organizations must prioritize patching WinRAR to versions that address the path traversal flaw. Beyond software updates, defenders should implement the following mitigations:

• Restrict HTA Execution: Use AppLocker or Windows Defender Application Control (WDAC) to block the execution of .hta files, especially those launched from the %TEMP% or %AppData% directories.
• Monitor for Abnormal Persistence: Use EDR solutions to alert on WinRAR writing files to the Startup folder or creating new scheduled tasks immediately after execution.
• Network Filtering: Block known Gamaredon IoC patterns, including traffic to Dynamic DNS providers and unauthorized Telegram API communication, which the group often uses for C2 signaling.

The high frequency of these attacks suggests that Gamaredon remains one of the most active threats to Ukrainian digital sovereignty. Consistent monitoring and rapid patching are the only effective defenses against their evolving arsenal.