Gamaredon Exploits WinRAR CVE‑2025‑8088 to Deploy Modular Spyware Against Ukrainian Targets
What Happened — In early 2026 the Russia‑linked APT group Gamaredon began weaponising a newly disclosed WinRAR path‑traversal flaw (CVE‑2025‑8088). A malicious XHTML attachment triggers HTML smuggling, drops a RAR archive that extracts a hidden HTA file into the Windows Startup folder, and launches a modular, near‑fileless espionage framework that communicates via Telegram.
Why It Matters for TPRM —
- The attack chain leverages a widely deployed third‑party utility (WinRAR), meaning any vendor that ships it to employees or customers inherits the risk.
- Modular, file‑less payloads evade many traditional AV solutions, increasing the chance of successful compromise of supply‑chain partners.
- Use of public‑facing services (Telegram) for C2 complicates network‑level detection for downstream organizations.
Who Is Affected — Government agencies, critical infrastructure operators, and any Ukrainian‑focused entities that receive spear‑phishing attachments; vendors that provide WinRAR or rely on it for internal workflows.
Recommended Actions —
- Verify that all WinRAR installations are upgraded to version 7.13 or later.
- Enforce strict attachment scanning and HTML‑smuggling detection on email gateways.
- Deploy endpoint monitoring for anomalous HTA execution and startup‑folder writes.
- Review third‑party risk contracts for clauses covering timely patching of bundled utilities.
Technical Notes — The initial vector is a spear‑phishing XHTML file that silently pings a Supabase endpoint for open‑tracking. HTML smuggling delivers a RAR archive exploiting CVE‑2025‑8088 (path traversal). The extracted HTA runs via mshta.exe, pulls a remote payload, and activates the “Gamma” family (GammaPhish, GammaLoad, GammaWorm, GammaSteel, GammaWipe). Communication is routed through Telegram bots, providing a resilient C2 channel. Source: Security Affairs