Russian state-sponsored groups continue to exploit a patched vulnerability in WinRAR, specifically the path traversal flaw CVE-2025-8088, to distribute malware through phishing campaigns. This exploit allows attackers to write files outside the intended extraction directory using NTFS Alternate Data Streams. Despite a patch being released in WinRAR version 7.13 in July 2025, researchers have found that two Russian-linked APT groups, Earth Dahu and SHADOW-EARTH-066, are still actively creating new exploit samples and using them to deliver malicious documents1. The ongoing exploitation of this vulnerability highlights the need for continued vigilance, even after patches have been released. This persistence in exploiting a known flaw underscores the importance of ensuring all systems are updated and that security measures are in place to detect and prevent such attacks, making it crucial for practitioners to prioritize patch management and monitoring.
Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088
⚠️ Critical Alert
Why This Matters
CVE-2025-8088 is in active discussion involving Russia — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, June 10). Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088. SecurityAffairs. https://securityaffairs.com/193476/apt/russian-apts-still-exploiting-patched-winrar-flaw-cve-2025-8088.html
Original Source
SecurityAffairs
Read original →