Russia-aligned hackers exploit patched WinRAR flaw to target Ukraine
AI-generated from multiple sources. Verify before acting on this reporting.
KIEV (AP) — Two Russia-aligned cyber threat groups exploited a recently patched vulnerability in WinRAR software to launch espionage campaigns against Ukrainian organizations, security officials confirmed Monday.
The attacks, attributed to the groups known as SHADOW-EARTH-066 and Earth Dahu, targeted government and private sector entities across Ukraine. The campaigns utilized a flaw in the file compression utility, identified as CVE-2025-8088, to infiltrate networks and steal sensitive data.
Security researchers identified the intrusion attempts on June 8, 2026. The groups used malicious archives distributed through phishing emails to deliver payloads. Once executed, the malware extracted credentials, internal documents, and other classified information from compromised systems.
WinRAR released a security update to address the vulnerability in early 2026. Despite the patch being available, many Ukrainian organizations had not yet updated their systems, leaving them exposed to the attacks. The exploit allowed attackers to bypass security controls and gain unauthorized access to internal networks.
SHADOW-EARTH-066, also designated as UAC-0226, has previously been linked to Russian state-sponsored operations. The group has a history of targeting government infrastructure and defense contractors. Earth Dahu, also known as Gamaredon, is another Russia-aligned actor known for disruptive cyber operations against Ukrainian targets.
The campaigns represent a shift in tactics, focusing on information theft rather than destructive malware. The stolen data is believed to be used for intelligence gathering and strategic planning. Officials warn that the compromised credentials could be used for further attacks or sold on dark web marketplaces.
Ukrainian cybersecurity agencies have issued alerts to organizations, urging immediate updates to WinRAR software and enhanced monitoring of network traffic. The government has also advised users to scan systems for signs of compromise and reset passwords for affected accounts.
The attacks highlight the ongoing cyber conflict between Russia and Ukraine. As the war continues, cyber operations have become a key component of the broader strategy. Both sides have engaged in digital espionage and sabotage, with Ukraine suffering significant losses in critical infrastructure.
Security experts note that the use of patched vulnerabilities indicates a sophisticated level of planning and execution. The attackers likely conducted reconnaissance to identify unpatched systems before launching the campaigns. This approach suggests a targeted effort to maximize the impact of the intrusion.
The full extent of the data theft remains unclear. Investigators are working to determine which organizations were affected and what information was exfiltrated. The groups may continue to exploit the vulnerability in other regions, raising concerns about the global impact of the campaign.
Ukrainian officials have not commented on the specific details of the breach. However, they have acknowledged the threat posed by Russia-aligned cyber actors and emphasized the need for international cooperation to counter the attacks. The incident underscores the importance of timely software updates and robust cybersecurity measures in protecting national security interests.