Russian state-linked threat group Gamaredon is actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to deploy a chain of malware against Ukrainian targets. The attack begins with an HTML Application payload (GammaPhish) which then downloads further malware including GammaWorm and GammaSteel, designed for data theft and lateral propagation. This is a targeted, state-sponsored campaign with significant implications for organisations operating in or with Ukraine.

Architect’s Take: Ensure WinRAR is patched to a version addressing CVE-2025-8088 across all endpoints, and consider blocking HTA file execution via AppLocker or Windows Defender Application Control policies. Cloud-connected environments should review egress controls and data exfiltration detection rules, particularly for workloads with access to sensitive data stores.

Original advisory: Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine