WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01)

cve · CVE-2025-8088

Coverage timeline

first 2026-06-02 → last 2026-06-03

Briefs

2 distinct

Sources cited

4 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-03CTI Daily Brief — 2026-06-03
2026-06-02CTI Daily Brief — 2026-06-02

Source distribution

thehackernews.com2 (40%)
blog.sekoia.io1 (20%)
infosecurity-magazine.com1 (20%)
welivesecurity.com1 (20%)

Related entities

ACR Stealer distributed via counterfeit Claude AI download pages + malicious search ads
campaigncampaign:acr-stealer-fake-claude×1
Gamaredon GammaPhish/GammaWorm — NTFS-ADS USB+network worm (Sekoia)
campaigncampaign:gamaredon-gammaphish-gammaworm×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (5)

Items in briefs about WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) (1)

UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer

From CTI Daily Brief — 2026-06-03 · published 2026-06-03 · view item permalink →

UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to write payloads directly into %APPDATA%\…\Start Menu\Programs\Startup\ for persistence without a Registry or Scheduled-Task artefact (Sekoia TDR, 2026-06-01).

The series also names GammaSteel, a modular file-stealer (consolidating prior QuietSieve/HarvesterX-class modules) that captures files by extension and — newly — exfiltrates to attacker-controlled S3-compatible cloud storage in addition to Gamaredon's previously documented HTTP/Telegram channels (The Hacker News, 2026-06-02). The full chain runs WinRAR archive → GammaPhish (HTA) → GammaLoad (VBScript downloader) → GammaWorm/GammaSteel.

Delta for defenders: CVE-2025-8088 is fixed in WinRAR 7.13 (August 2025), so the entry vector is closed by patching — inventory WinRAR versions across the estate. Hunt for archive utilities writing executables or .vbs into Programs\Startup paths (Sysmon EID 11 on target path containing Programs\Startup), WinRAR spawning wscript.exe/mshta.exe, and VBScript processes making outbound requests to S3 endpoints inconsistent with normal business traffic. The targeting is Ukraine-centric, but the WinRAR vector reaches any organisation that opens archive-format lures.