Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
According to Sekoia, the Russian state-sponsored group Gamaredon is actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to target Ukrainian entities. The attack chain begins with a weaponized WinRAR archive that triggers an HTML Application (HTA) payload named GammaPhish. This payload then downloads and executes additional malware: GammaWorm, a self-propagating worm designed to spread across networks, and GammaSteel, a data-stealing trojan that exfiltrates sensitive information. The campaign highlights ongoing cyber operations against Ukraine, leveraging a known vulnerability in a widely used archiving tool. Sekoia's report provides technical details on the exploit and indicators of compromise, emphasizing the need for organizations to patch WinRAR and implement robust email security measures.
Developers must patch WinRAR to prevent exploitation via path traversal attacks.