ESET Research#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives.
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
Now, Gamaredon is abusing it to drop malicious payloads via spearphishing lures, targeting Ukrainian governmental entities.
CVE-2025-8088 abuses a flaw in WinRAR’s handling of file paths in RAR archives. By crafting a file with ..\..\ sequences in its ADS, attackers can write files outside the extraction directory, which allows dropping files into the Startup folder.
IoCs:
🚨 VBS/Pterodo.CFC trojan
📄 6DF9312CD3EA11D94A01C4663C07907F6DFC59CB
D23B477B0103AFA8691E9AE9CE50912A2EA50D3B
AC6F459A218532F183004798936BB1A239349C20
0CDC5544413E80F78212E418E7936308A285E8DC
67A99D1D57116CD10B7082814B8CF25EB1FB9007
C8138F1CDD65FB4A3C93A7F7514C0133781FB89B
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
Now, Gamaredon is abusing it to drop malicious payloads via spearphishing lures, targeting Ukrainian governmental entities.
CVE-2025-8088 abuses a flaw in WinRAR’s handling of file paths in RAR archives. By crafting a file with ..\..\ sequences in its ADS, attackers can write files outside the extraction directory, which allows dropping files into the Startup folder.
IoCs:
🚨 VBS/Pterodo.CFC trojan
📄 6DF9312CD3EA11D94A01C4663C07907F6DFC59CB
D23B477B0103AFA8691E9AE9CE50912A2EA50D3B
AC6F459A218532F183004798936BB1A239349C20
0CDC5544413E80F78212E418E7936308A285E8DC
67A99D1D57116CD10B7082814B8CF25EB1FB9007
C8138F1CDD65FB4A3C93A7F7514C0133781FB89B
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
