Two Russian-aligned hacker groups exploit a year-old WinRAR flaw to target Ukraine. Learn how the attack works and how to protect yourself with simple updates.
Two Russian-aligned hacker groups are still using an old WinRAR flaw to attack Ukrainian organizations, even though the fix came out almost a year ago. That's a big deal because it shows how slow some folks are to patch their software.
Security researchers at Trend Micro spotted the activity. They blame two groups: Earth Dahu (also known as Gamaredon) and SHADOW-EARTH-066 (also called UAC-0226). These groups are exploiting a bug tagged as CVE-2025-8088, which is a path traversal flaw in WinRAR. Basically, it lets attackers sneak malicious files into a system by tricking the compression tool into writing files outside the intended folder.
### What's the Big Deal?
Think of it this way: WinRAR is like a digital suitcase. Normally, when you unpack it, files go where they're supposed to. But this flaw is like a suitcase with a false bottom โ it lets attackers hide dangerous items inside, and when you unpack it, those items end up in places you didn't expect. Once inside, they can steal data, install malware, or take control of your system.
The scary part? These groups have been using this trick for almost a year after the patch came out. That means many organizations haven't updated their WinRAR software. It's a classic case of "patch fatigue" โ people get tired of updates and ignore them.
### Who's Behind the Attacks?
Here's a quick breakdown of the groups involved:
- **Earth Dahu (Gamaredon)**: This group has been around since at least 2013. They're known for targeting Ukrainian government and military organizations. They usually use phishing emails with malicious attachments.
- **SHADOW-EARTH-066 (UAC-0226)**: A newer group that seems to work alongside Earth Dahu. They focus on stealing credentials and sensitive data.
Both groups are believed to be linked to Russian intelligence services. Their goal is to gather intelligence and disrupt Ukrainian operations.
### How the Attack Works
The attack starts with a phishing email. The victim receives a message that looks legitimate, maybe about an invoice or a document from a colleague. Attached is a WinRAR archive file. When the victim opens it, the path traversal flaw kicks in, placing malware in system folders. From there, the attacker can run commands, steal files, or install more dangerous software like info-stealers.
> "If you haven't updated WinRAR since last year, you're leaving the door wide open for these attacks." โ Security expert comment
### What You Can Do
Protecting yourself doesn't require a PhD in cybersecurity. Here are a few simple steps:
- **Update WinRAR immediately**. Go to the official website and download the latest version. This closes the path traversal loophole.
- **Be careful with email attachments**. If you weren't expecting a file, don't open it. Even if it looks familiar, double-check with the sender.
- **Use antivirus software**. Modern tools can detect and block exploits like this one before they cause damage.
- **Enable automatic updates for all software**. It's the easiest way to stay safe without remembering to patch every month.
### The Bottom Line
This story is a reminder that hackers don't need fancy new tricks to cause damage. They often use old, well-known flaws because they know many people won't bother to patch. The WinRAR bug is a perfect example: a year-old vulnerability still being exploited successfully.
For organizations in Ukraine โ and honestly, anywhere โ the takeaway is clear: keep your software updated, train your staff to spot phishing, and don't assume you're safe just because a patch exists. Cyber threats don't take breaks, and neither should your defenses.
If you're running a business or managing sensitive data, treat software updates like changing the oil in your car. Skip it, and you're asking for trouble down the road.
