Gamaredon Exploits WinRAR Path‑Traversal (CVE‑2025‑8088) to Deploy GammaWorm & GammaSteel Targeting Ukrainian Entities
What It Is — A Russian‑linked threat group, Gamaredon (aka Primitive Bear), is weaponising a newly disclosed path‑traversal flaw in WinRAR (CVE‑2025‑8088). The vulnerability allows a crafted RAR archive to write arbitrary files outside the extraction directory, enabling the drop of an HTML Application (HTA) payload called GammaPhish. The HTA subsequently installs the data‑stealing GammaWorm and the lateral‑movement tool GammaSteel.
Exploitability — Active exploitation observed in the wild since early 2026; proof‑of‑concept code publicly released. The CVSS v3.1 base score is 8.2 (High), reflecting remote code execution and data‑exfiltration potential.
Affected Products – WinRAR versions 5.0‑6.2 (any Windows build that supports the vulnerable archive handling). Third‑party applications that automatically extract RAR files (e.g., email gateways, document management systems) are also at risk.
TPRM Impact – Organizations that rely on WinRAR as a third‑party utility expose their supply chain to malicious code injection. Compromise can lead to credential theft, espionage, and further propagation into downstream partners, especially in sectors handling sensitive state or defense data.
Recommended Actions –
- Deploy the WinRAR 6.3 (or later) patch that mitigates CVE‑2025‑8088 across all endpoints.
- Disable automatic extraction of archive files in email and file‑sharing gateways.
- Implement EDR/AV rules to detect the GammaPhish HTA payload and the known IOCs of GammaWorm/GammaSteel.
- Conduct a focused threat‑hunt on systems that have processed RAR files since January 2026.
- Review third‑party risk contracts to ensure vendors maintain up‑to‑date archive utilities.
Source: The Hacker News