Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
Summary
The Russian hacking group Gamaredon is exploiting a WinRAR vulnerability (CVE-2025-8088) to deliver malware like GammaWorm and GammaSteel against Ukraine. This activity aims at data theft and network propagation, utilizing an HTML Application payload called GammaPhish to retrieve further malicious content.
IFF Assessment
This article details the ongoing exploitation of a vulnerability by a known threat actor group, indicating an increased risk and active threat to targeted entities.
Severity
The CVE-2025-8088 vulnerability is a path traversal flaw, which could allow an attacker to write files outside of the intended directory. While no direct remote code execution is explicitly stated, the ability to manipulate file placement is a significant security risk, especially when used to deliver malicious payloads. A score of 7.5 reflects its high severity due to potential for impact and ease of exploitation in a chain.
CISA KEV: Listed as actively exploited. Federal patch due: September 02, 2025. Known ransomware use: Unknown.
Defender Context
Defenders should be aware of Gamaredon's continued activity and their use of known vulnerabilities like CVE-2025-8088 in WinRAR. Organizations using WinRAR should prioritize patching this vulnerability and remain vigilant for suspicious files and network activity indicative of GammaWorm or GammaSteel malware.