Gamaredon, a persistent threat actor known for targeting Eastern European government agencies, has launched a new, sophisticated phishing campaign that exploits a critical path-traversal vulnerability in WinRAR to deploy malware silently.
The campaign leverages CVE-2025-8088, a WinRAR vulnerability that allows attackers to bypass security controls and automatically extract malicious files to arbitrary system locations without requiring user interaction beyond opening an innocuous PDF attachment.
The attack chain demonstrates notable sophistication in its operational technique. Adversaries craft weaponized RAR archives containing two components: a legitimate-appearing PDF file designed to deceive victims and a malicious HTML Application (HTA) file configured for execution.
When targets extract or interact with the archive, the CVE-2025-8088 vulnerability triggers automatic path traversal, silently depositing the HTA malware directly into the Windows Startup folder.
This sophisticated delivery mechanism ensures malware persistence and execution upon system reboot, circumventing typical user-awareness-based defenses.
Path Traversal Exploitation Enables Silent Malware Deployment
The weaponized RAR archives exploit CVE-2025-8088 to manipulate file-extraction paths, allowing attackers to place malicious HTA files directly in the Windows Startup folder without triggering security warnings.
When victims open the benign-looking PDF document contained within the archive, the vulnerability silently executes in the background, establishing persistence mechanisms that activate upon the next system restart.
Threat researchers have identified three command-and-control domains facilitating the campaign: create-pdf[.]serveftp[.]com, furnishings-ranger-lodge-assists[.]trycloudflare[.]com, and acess-pdf[.]webhop[.]me, utilizing legitimate cloud hosting services to obfuscate malicious infrastructure.
Gamaredon Continues Aggressive Government Targeting Pattern
This campaign represents a continuation of Gamaredon’s persistent espionage operations against government entities, demonstrating the threat group’s rapid adaptation to emerging vulnerabilities.
Security analysts have catalogued three associated malware samples with SHA-256 hashes, enabling threat intelligence teams to implement detection signatures across security infrastructure.
Organizations should immediately update WinRAR to patched versions, restrict HTA file execution through application whitelisting, and monitor startup folders for unauthorized executable files to defend against this evolving threat landscape.
Files: d8a90dec1eb023fae2cd31f06e46614c4fd2bbd62fb45434cf051a47d4cf3552 f09cbc3941c32d2088afc64937311fbabd021967280cdcfd97c74bceed57a646 d863da409f87fb18c077b3ae64eea30aec6cdff67463a66f2caca694ee9761a0
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
