WinRAR’s Forgotten Door: How Russian Actors Turned a Year-Old Patch Into a Backdoor

The Flaw Was Patched. The Door Wasn’t Locked.

A year ago, WinRAR 7.13 shipped a fix for CVE-2025-8088. And yet, Russian-aligned threat actors are still walking right in. Not because the exploit is clever. Not because the infrastructure is complex. But because no one bothered to check if the patch was even installed.

Trend Micro’s latest findings show two separate campaigns—Shadow-Earth-066 and Earth Dahu—both weaponizing the same vulnerability, but with wildly different tactics. One drops a silent stealer. The other builds a persistent espionage pipeline using Cloudflare Workers. Same flaw. Same target. Same failure.

The real story isn’t the exploit. It’s the silence.

What CVE-2025-8088 Actually Lets Attackers Do

Let’s cut through the jargon. CVE-2025-8088 is a path traversal bug. That means if you open a malicious RAR file, WinRAR will follow hidden references—symbolic links, NTFS alternate data streams—and drop files anywhere on your system. Not just in the folder you chose. Anywhere.

The most common target? C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. That’s where Windows runs code every time someone logs in. No admin rights needed. No UAC prompt. Just a double-click on a file that looks like a budget spreadsheet.

This isn’t zero-day magic. It’s 2012-level exploitation, resurrected because WinRAR doesn’t auto-update, doesn’t integrate with SCCM or Intune, and gets lost in asset inventories. You don’t patch it because you don’t know it’s there.

Shadow-Earth-066: The Ghost in the Startup Folder

Shadow-Earth-066—known to Ukrainian CERT as UAC-0226—isn’t trying to burn down the house. They’re stealing files. Quietly.

Their emails use urgent, believable hooks: military procurement requests, logistics updates, internal briefings. The attached RAR archive exploits CVE-2025-8088 to drop a malicious .lnk file into the Startup folder. That .lnk runs GiftedCrook.

GiftedCrook isn’t fancy. It doesn’t call home every five minutes. It doesn’t install a backdoor. It grabs passwords, cookies, and about 35 file types—.docx, .xlsx, .pdf, .jpg—and then deletes itself. No trace. No alert. Just data exfiltrated before anyone notices.

And it’s still active. April 2026 samples confirm this isn’t a relic. It’s a living, breathing campaign.

Earth Dahu: The Long Game in the Cloud

Earth Dahu? They’re not in a hurry.

This group—also called Gamaredon, Shuckworm, Aqua Blizzard—has been around since 2013. They don’t just want access. They want to live inside your network.

Their approach is more theatrical. Emails come from compromised government accounts. Attachments look like legitimate documents. But the RAR file doesn’t drop an LNK. It drops an .hta—a malicious HTML Application.

That .hta doesn’t run code locally. It calls out to Cloudflare Workers, a legitimate CDN service. From there, it downloads VBScript modules that install the real payload. The traffic looks like normal user behavior. The C2 is hidden in plain sight.

Google Threat Intelligence confirmed Earth Dahu’s activity as recently as April 2026. They’re not just active—they’re evolving.

Who Else Is Watching This Door?

It’s tempting to think this is just Ukraine. It’s not.

Google’s January 2026 report flagged CVE-2025-8088 as a target for Sandworm, Turla, and Void Rabisu. Those groups didn’t limit themselves to Ukrainian orgs. They cast a wide net across Eastern Europe, the Baltics, even mid-sized businesses in Germany and Poland.

Why? Because small and mid-sized companies are the perfect blind spot. No dedicated security team. No asset inventory. WinRAR gets installed on a developer’s laptop in 2023, forgotten by 2024, and still running in 2026.

Waseem Ahmed, head of engineering at Secure.com, put it bluntly: "There’s no exotic exploit to engineer and no infrastructure to stand up; it’s a phishing email with a booby-trapped archive, and the technique has been a market commodity since before it was even public."

The barrier to entry? Zero.

How to Close the Door Before the Next Wave

Here’s what you do tomorrow:

1. Find WinRAR, don’t assume it. If you use Intune or SCCM, run a custom query. WinRAR isn’t in your patch reports because it’s not supposed to be there. It’s the tool your accountant installed on their laptop in 2021. Go find it.

2. Strip or detonate RAR files at the gateway. Mimecast, Proofpoint, Cloudflare Email Security—all can sandbox or strip executable content before it hits Outlook. If you don’t need WinRAR, remove it. Block it. Don’t just ignore it.

3. Watch the Startup folder like a hawk. Set up alerts for any new .exe, .lnk, or .hta appearing in ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. It’s the most common persistence vector. And it’s free to monitor.

4. Stop pretending you know where your doors are. Ahmed’s quote isn’t marketing fluff. It’s the truth. You can’t patch what you haven’t found. And if you’re not auditing legacy software, you’re not securing your network—you’re just hoping.

The Real Problem Isn’t WinRAR. It’s Your Culture.

CVE-2025-8088 isn’t a bug. It’s a symptom.

It’s the symptom of organizations that treat software like furniture: install it, forget it, and assume someone else will maintain it. WinRAR isn’t end-of-life. It’s end-of-attention.

Threat actors aren’t exploiting this flaw because it’s hard. They’re exploiting it because it’s easy. And they’re counting on you to keep ignoring it.

The fix isn’t a patch. It’s a cultural shift. It’s treating every piece of software like a weapon. If you issue it, you control it. If you don’t control it, you remove it.

Stay skeptical. Stay vigilant. And for God’s sake—go look for WinRAR before the next campaign hits.