Gamaredon Exploits WinRAR CVE-2025-8088 to Drop Data-Theft Malware
Russia-linked Gamaredon (also tracked as Armageddon, Shuckworm, UAC-0010) is actively weaponizing CVE-2025-8088, a path traversal flaw in WinRAR, to deliver two custom malware families — GammaWorm (lateral propagation) and GammaSteel (data exfiltration) — against Ukrainian targets. The campaign was documented by Sekoia.
What Happened
CVE-2025-8088 is a path traversal vulnerability in WinRAR that allows a malicious archive to write files outside the intended extraction directory. Gamaredon is distributing booby-trapped archives that, when opened, silently drop GammaWorm onto the host. GammaWorm propagates to additional systems — via removable drives or network shares — while GammaSteel performs targeted data theft, collecting and exfiltrating documents and credentials.
The current campaign is focused on Ukrainian organizations, but Gamaredon has historically cast a wide net, and the technique — archive-delivered payload exploiting a ubiquitous extraction utility — requires no special targeting to reuse.
Why It Matters
WinRAR is installed on hundreds of millions of Windows endpoints, including in enterprise environments that have never standardized on built-in OS tools or 7-Zip. A path traversal at extraction time is especially dangerous: the exploit triggers the moment a user opens the archive. No macro enablement, no elevation prompt, no secondary executable required.
The worm component raises the stakes further. A single compromised host with shared drives or USB activity can propagate laterally without any further attacker interaction. Nation-state tooling of this caliber routinely leaks into criminal ecosystems within months — meaning the window between "targeted campaign" and "commodity threat" is short.
What to Do
- Patch WinRAR immediately. Verify installed versions across your fleet and push the patched release that addresses CVE-2025-8088 via your software management tooling (Intune, SCCM, etc.) today — this does not wait for the next maintenance window.
- Inventory and prune installs. In most orgs, WinRAR lingers as a years-old installation on machines that have no operational need for it. Query your asset management system and uninstall where there is no active use case.
- Harden archive delivery vectors. If your email gateway or web proxy supports archive-type filtering, consider a temporary block on
.rarfiles from untrusted external senders while patching rolls out.
- Hunt for IOCs now. Search your EDR and SIEM for GammaWorm and GammaSteel behavioral indicators. The Sekoia-sourced reporting includes behavioral signatures; pull specific hashes and C2 infrastructure from your threat intel feeds and run a retroactive hunt across the last 30 days.
- Replace WinRAR permanently. If the only use case is
.rarextraction, 7-Zip handles it natively and introduces no additional attack surface. Standardize on it and remove the WinRAR runtime as part of the patching push.
Synthesized by Claude · sanity-checked before publish.