Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088

A campaign exploiting the WinRAR path-traversal vulnerability CVE-2025-8088 has been actively targeting Ukraine since February 2026, with ongoing activity through June 2026. The operation uses Ukrainian military and conscription-themed documents as lures, distributed as RAR archives. The malicious archives contain NTFS alternate data streams with path-traversal sequences that automatically place LNK files into the Windows Startup folder upon extraction. These shortcuts execute hidden PowerShell stagers incorporating anti-analysis techniques including debugger checks, disk-space verification, and sleep delays to evade sandbox detection. The persistent nature of the attacks demonstrates continuous targeting of Ukrainian entities over a four-month period using social engineering focused on military documentation themes.

Pulse ID: 6a34c6344468a941c924c02c
Pulse Link: https://otx.alienvault.com/pulse/6a34c6344468a941c924c02c
Pulse Author: AlienVault
Created: 2026-06-19 04:31:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #LNK #Military #OTX #OpenThreatExchange #PowerShell #RAT #SocialEngineering #UK #Ukr #Ukraine #Ukrainian #Vulnerability #WinRAR #Windows #bot #AlienVault