RUSSIAN APT groups, Earth Dahu (Gamaredon) and SHADOW-EARTH-066, are exploiting a patched WinRAR flaw (CVE-2025-8088) to deploy malware via phishing attacks, despite the vulnerability being fixed in July 2025. Researchers found that these groups continue to build new exploit samples to deliver malicious documents through spear-phishing emails. The flaw allows attackers to write files outside the extraction directory without user interaction, enabling silent malware deployment on victims' systems.
SHADOW-EARTH-066 notably upgraded its techniques, using a PowerShell loader and evasion tactics to avoid detection. Earth Dahu employs a simpler delivery method with HTA and VBScript files. Both groups leverage the fact that WinRAR is widely used but not frequently updated, making it a persistent attack vector. The reports indicate a significant and ongoing cyber threat to Ukrainian organizations.