Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open

    Tuesday, June 9, 2026 In: Threat Research Print

    Date: 06/09/2026

    Severity: High

    Summary

    Multiple threat groups, including the Russia-aligned Gamaredon (Earth Dahu) and SHADOW-EARTH-066, continue to exploit CVE-2025-8088, a patched WinRAR path traversal vulnerability, to target Ukrainian organizations. The campaigns deliver malware such as the GIFTEDCROOK information stealer and other espionage tools capable of harvesting credentials, session cookies, and sensitive documents. The ongoing abuse of this vulnerability highlights how widely used software that lacks centralized update mechanisms can remain an effective entry point for cyberespionage operations long after patches are released.

     Indicators of Compromise (IOC) List

    Domains/URLs

    astrocaf.com

    https://166.0.132.237:7044/rcv/

    https://136.0.141.41:9580/rcv/

    https://136.0.141.138:8406/rcv/

    https://38.225.209.229:9623/rcv/

    IP Address

    166.0.132.237

    136.0.141.41

    136.0.141.138

    38.225.209.229

    136.0.141.112

    38.225.209.122

    23.26.237.80

    194.58.66.82

    194.58.66.53

    Hash

    3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25

    44f6f7ba668fc645129d66353e6f60402822ae929ce54648cae0bba6348a18ea

    718465f44c0680740fb61790eda3d2f4c5218c9de0c560299c580fa1602dc9c7

    8150b2b39fa62fa2de177ed8526c621a3581c0eb481dd9740fc5894ce2b7c13b

    e9d6938c9980cab735e8fb2eaa082ddc6f5dd7f2ff84d8ece01e8caaefdbb930

    65c053030558b4a3588e2590c5c4961a9912180b731686deb3f4c831e765a095

    37b42a83715f7a34e00d3458d4f4b6e53b8c95372677ce020a2e38e80e60ba87

    7200a9f1e1ea51b66ab9c9274e9d8f805633179634e8ff4dcb8ef82bc02518df

    2d9adb7932b7842dfb0e0f453b87e5d28dd4552094105e6340bad009956d8c2b

    4e21c4c97aeb391473ee1e44961676f32de2ee8b56ecb136c1d8081df97c3db4

    6083aac5376b7ca74cc363e0d66f70beaffee543d098c612b820b16fbfb0aa52

    e08dcb80346ded2bb2393a180e3f2612ed4c2ff0d3842390a5b527d003060212

    3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59

    2a8ea9f1ad8936fb302243faa64b91c5767df411923715cbdb1a869e3bfd7e6d

    507b2fcdae058cebbd550965b90c44e878d7a2463058c846eeb68f0dc1b48eda

    1c170b7470d507378ddb78e9d66305f1184e965baaf2d27ededb23a318a58953

    bf338d88f60c0d352cd0d1b5e4bc6a1d9f1ac8fe1df48516ec0042cafda821e9

    f9d2907d6b1de3078a0f111cc98764a92baf5ebd06cc8ab02637a65eff3b7f3a

    f668bd551859007cf2cc2a62bf0bf5414870a04e9782590c9bf85c849ddb308b

    d1d26b0f68e26ac591848796aeef7b9c766442bbff47af8823f9b23d1b588836

    89d20418450b34efe698bd36214100cfa49f60adf1c39a8bc8d65991b1ce2c23

    ce78748acd8e9be741b143ad716d735dc682bd5a010427a199744b81456f8e35

    378809699c7252dc38b31969b9cc40858397759f15d6e418246dfaba9088fdd1

    7d3ba419751e5ea52b567e1162f6a366bf3d06c44c8956a9f14520e9fb6ed0b1

    a717dd74c01fcfce35a28f374e1c6f9ded06d6f7b0cc04618ce9454ad64febb8

    dc5082b07eb994ddee343a4080dce0a9ec2e891e5690654e24ae74ba9eabe422

    b01f31c9541579ad34f4e50acafec252eb419f5b1ca98155e0ec84c19d12c9e4

    82fda6ea769d61aba230c3487787087cec53dd378e22f22a8fb8f0bd5ae83ded

    77963398e2c5c2fdf9d28d9c5f9c2791cfbf422ba02225e01635dd7f5b31eff8

    e6bd725a2af981cd2b5c2217c1d7d906369d8daf48f02023fb73635f9e2b9659

    023c8f8e2a71da2044e3f04ac74c8b3616f417436476cea85222f01119615979

    2a6ce2445c096fc5e577a0af513ba6f4fb8a8097764c7df81824a782e07e7f65

    c2527a907b209bc4ce911e36b79781ec260f0851eeb466dbeb386d67fec11467

    22b07d2af98bb180474c33d93861124bbdf9b5dd7e42a8bddc654310469a9a2c

    68bafc624a4c0d11ef7a949c0077c704aa5ba0a3205fe5b62d29b727b46ccfe4

    276789b3b946753e9be482219bc4526da2da8772701f3b9d00c74038e2604ece

    5d164b6d74dae9fe3022bc3cf453cd8b846e9cdc0cd616246fe620be88e3f1e5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "astrocaf.com" or url like "astrocaf.com" or siteurl like "astrocaf.com" or domainname like "https://136.0.141.138:8406/rcv/" or url like "https://136.0.141.138:8406/rcv/" or siteurl like "https://136.0.141.138:8406/rcv/" or domainname like "https://166.0.132.237:7044/rcv/" or siteurl like "https://166.0.132.237:7044/rcv/" or url like "https://166.0.132.237:7044/rcv/" or domainname like "https://136.0.141.41:9580/rcv/" or siteurl like "https://136.0.141.41:9580/rcv/" or url like "https://136.0.141.41:9580/rcv/" or domainname like "https://38.225.209.229:9623/rcv/" or siteurl like "https://38.225.209.229:9623/rcv/" or url like "https://38.225.209.229:9623/rcv/"

    Detection Query 2 :

    dstipaddress IN ("194.58.66.82","136.0.141.138","166.0.132.237","136.0.141.41","38.225.209.229","136.0.141.112","38.225.209.122","23.26.237.80","194.58.66.53") or srcipaddress IN ("194.58.66.82","136.0.141.138","166.0.132.237","136.0.141.41","38.225.209.229","136.0.141.112","38.225.209.122","23.26.237.80","194.58.66.53")

    Detection Query 3 :

    sha256hash IN ("b01f31c9541579ad34f4e50acafec252eb419f5b1ca98155e0ec84c19d12c9e4","7200a9f1e1ea51b66ab9c9274e9d8f805633179634e8ff4dcb8ef82bc02518df","44f6f7ba668fc645129d66353e6f60402822ae929ce54648cae0bba6348a18ea","a717dd74c01fcfce35a28f374e1c6f9ded06d6f7b0cc04618ce9454ad64febb8","37b42a83715f7a34e00d3458d4f4b6e53b8c95372677ce020a2e38e80e60ba87","e9d6938c9980cab735e8fb2eaa082ddc6f5dd7f2ff84d8ece01e8caaefdbb930","3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25","8150b2b39fa62fa2de177ed8526c621a3581c0eb481dd9740fc5894ce2b7c13b","f668bd551859007cf2cc2a62bf0bf5414870a04e9782590c9bf85c849ddb308b","e08dcb80346ded2bb2393a180e3f2612ed4c2ff0d3842390a5b527d003060212","718465f44c0680740fb61790eda3d2f4c5218c9de0c560299c580fa1602dc9c7","65c053030558b4a3588e2590c5c4961a9912180b731686deb3f4c831e765a095","1c170b7470d507378ddb78e9d66305f1184e965baaf2d27ededb23a318a58953","f9d2907d6b1de3078a0f111cc98764a92baf5ebd06cc8ab02637a65eff3b7f3a","d1d26b0f68e26ac591848796aeef7b9c766442bbff47af8823f9b23d1b588836","ce78748acd8e9be741b143ad716d735dc682bd5a010427a199744b81456f8e35","6083aac5376b7ca74cc363e0d66f70beaffee543d098c612b820b16fbfb0aa52","e6bd725a2af981cd2b5c2217c1d7d906369d8daf48f02023fb73635f9e2b9659","2a8ea9f1ad8936fb302243faa64b91c5767df411923715cbdb1a869e3bfd7e6d","bf338d88f60c0d352cd0d1b5e4bc6a1d9f1ac8fe1df48516ec0042cafda821e9","507b2fcdae058cebbd550965b90c44e878d7a2463058c846eeb68f0dc1b48eda","2d9adb7932b7842dfb0e0f453b87e5d28dd4552094105e6340bad009956d8c2b","4e21c4c97aeb391473ee1e44961676f32de2ee8b56ecb136c1d8081df97c3db4","3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59","89d20418450b34efe698bd36214100cfa49f60adf1c39a8bc8d65991b1ce2c23","378809699c7252dc38b31969b9cc40858397759f15d6e418246dfaba9088fdd1","7d3ba419751e5ea52b567e1162f6a366bf3d06c44c8956a9f14520e9fb6ed0b1","dc5082b07eb994ddee343a4080dce0a9ec2e891e5690654e24ae74ba9eabe422","82fda6ea769d61aba230c3487787087cec53dd378e22f22a8fb8f0bd5ae83ded","77963398e2c5c2fdf9d28d9c5f9c2791cfbf422ba02225e01635dd7f5b31eff8","023c8f8e2a71da2044e3f04ac74c8b3616f417436476cea85222f01119615979","2a6ce2445c096fc5e577a0af513ba6f4fb8a8097764c7df81824a782e07e7f65","c2527a907b209bc4ce911e36b79781ec260f0851eeb466dbeb386d67fec11467","22b07d2af98bb180474c33d93861124bbdf9b5dd7e42a8bddc654310469a9a2c","68bafc624a4c0d11ef7a949c0077c704aa5ba0a3205fe5b62d29b727b46ccfe4","276789b3b946753e9be482219bc4526da2da8772701f3b9d00c74038e2604ece","5d164b6d74dae9fe3022bc3cf453cd8b846e9cdc0cd616246fe620be88e3f1e5")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/f/old-winrar-flaw-fuels-attacks-on-ukraine.html                          


    Tags

    MalwareThreat ActorVulnerabilityRussiaGamaredonExploitCVE-2025UkraineInfostealerStealerCredential HarvestingCyber Espionage

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.