ctipilot.ch

WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01)

cve · CVE-2025-8088 single-source

Coverage timeline
4
first 2026-06-02 → last 2026-06-28
Peak priority
notable
4 notable
Sources cited
12
6 hosts
Sections touched
4
deep-dive, research, updates
Co-occurring entities
2
see Related entities below
ATT&CK techniques
12
pinned v19.1 · see below

ATT&CK techniques

12 techniques observed across 2 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

T1566.001Phishing: Spearphishing Attachment×1

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

T1059.005Command and Scripting Interpreter: Visual Basic×1

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.

Evidence: 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · ATT&CK page ↗

Persistence TA0003

T1547Boot or Logon Autostart Execution×1

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×2

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · ATT&CK page ↗

Privilege Escalation TA0004

T1547Boot or Logon Autostart Execution×1

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×2

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · ATT&CK page ↗

Stealth TA0005

T1480Execution Guardrails×1

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

Credential Access TA0006

T1555.003Credentials from Password Stores: Credentials from Web Browsers×1

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · ATT&CK page ↗

Collection TA0009

T1005Data from Local System×1

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

Exfiltration TA0010

T1041Exfiltration Over C2 Channel×1

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · ATT&CK page ↗

Story timeline

  1. 2026-06-27Turla's STOCKSTAY: a four-component .NET backdoor for diplomatic intelligence collection
    deep-dive
  2. 2026-06-14CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix
    weekly-vuln-rollup
  3. 2026-06-10Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain
    research
  4. 2026-06-03Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
    updates

Where this entity is cited

  • updates1
  • research1
  • weekly-vuln-rollup1
  • deep-dive1

Source distribution

  • attack.mitre.org5 (42%)
  • thehackernews.com3 (25%)
  • blog.sekoia.io1 (8%)
  • cloud.google.com1 (8%)
  • therecord.media1 (8%)
  • trendmicro.com1 (8%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

External references

NVD · cve.org · CISA KEV

All cited sources (12)

Entries about WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) (4)

2026-06-27 · view entry permalink →

NOTABLECVE-2025-8088exploited

Turla's STOCKSTAY: a four-component .NET backdoor for diplomatic intelligence collection

Background. Google Threat Intelligence Group (GTIG, formerly Mandiant) published a full technical analysis of STOCKSTAY on 2026-06-25, a modular .NET backdoor it attributes with high confidence to Turla — also tracked as Secret Blizzard, SUMMIT and FSB Center 16 — with activity dating to December 2022 (Google Cloud / GTIG, 2026-06-25). GTIG ties STOCKSTAY to Turla's long-running Kazuar implant lineage through shared code: the K1MORPHER Squirrel3-based string obfuscator Turla introduced in April 2025, identical environmental-keying logic, and the same component-separation design pattern — placing this tool in the same toolset GTIG and others have tracked across European diplomatic targeting for years (The Record, 2026-06-26). Primary targets are Ukrainian government and military organisations and European entities with Italian foreign-policy interests.

Architecture and mechanics. STOCKSTAY is partitioned into four .NET assemblies that communicate over Windows WM_COPYDATA inter-process messages, deliberately decoupling the network layer from command execution. MARKETMAKER is the downloader/installer that establishes Registry Run-key persistence masquerading as MicrosoftUpdateOneDrive (T1547.001); STOCKMARKET ("cor") is the orchestrator that generates a 4096-bit RSA key pair on first run; STOCKBROKER ("net") is a proxy-aware WebSocket tunneller built on the open-source websocket-sharp library; and STOCKTRADER ("sys") is the backdoor executor supporting 13 commands (directory listing, file get/put, process execution, registry read/write/delete, screenshot capture, WMI-based system reconnaissance, archive unpacking, and self-destruct). Configuration is AES-encrypted using hostname/domain-name environmental keying (T1480) once past the reconnaissance phase, so the payload will not decrypt or execute off-target — a standard Turla anti-analysis measure.

Command-and-control. C2 responses are wrapped in an RSA-4096-encrypted "CryptoContainer" JSON structure and tunnelled over encrypted WebSocket sessions hosted on legitimate PaaS platforms (Render.com, Glitch) (T1071.001). The controller — a Python Tornado WebSocket server storing victim data in a SQLite database — was found in a public GitHub repository, and the use of third-party PaaS prevents the platform operator from introspecting the encrypted traffic. The implant enforces working hours (09:00–18:00, Mon–Fri) to blend with normal activity.

Delivery / kill chain. Initial access is via spearphishing (T1566.001/.002) using diplomatic-themed lures (drone content, military logistics, diplomatic-education platforms), with malicious RDP configuration files and RAR archives exploiting WinRAR path traversal CVE-2025-8088 for code drop, followed by MSI/HTA execution. STOCKSTAY is then installed, keys to its environment, establishes Run-key persistence, and beacons out over PaaS-hosted WebSockets — staging the operator's interactive command set (T1059) for collection (T1005) and exfiltration over the C2 channel (T1041). GTIG notes deployment alongside other confirmed Turla tools (WILDDAY, DIAMONDBACK).

Detection concepts (no IOCs). Alert on outbound WebSocket connections to *.onrender.com / *.glitch.me from non-browser processes; WM_COPYDATA messages between unrelated processes in EDR telemetry (Sysmon EID 8/10 process-injection/access correlation); Registry Run-key creation pointing at user-space paths masquerading as Microsoft/OneDrive updaters (Sysmon EID 13 / Windows EID 4657); LNK or RDP-config writes into staging directories (Sysmon EID 11); and the WinRAR CVE-2025-8088 exploitation pattern (archive extraction writing files outside the target directory). GTIG published YARA and Google SecOps detection rules with the report.

Hardening / mitigation. Patch WinRAR to 7.11+ to close CVE-2025-8088; enable AMSI and ETW for .NET assemblies and block the AppDomainManager-hijack DLL-placement path; apply GPO to restrict RDP-config auto-connection; and where not operationally required, block Render/Glitch WebSocket egress at the perimeter for diplomat and ministry workstations. For Swiss federal and cantonal foreign-affairs, defence and diplomatic environments, the named Italian-foreign-policy targeting puts this squarely in scope.

Background.

ctipilot v2 brief (migrated)
vulnerability27 Jun 05:17Zmulti-sourceOpen finding ↗

2026-06-14 · view entry permalink →

NOTABLECVE-2025-8088exploited

CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix

A reminder that "patched" is not "remediated" where users don't update. Trend Micro documented two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year on: GIFTEDCROOK delivery via UAC-0226 and an Earth Dahu chain (Trend Micro; daily 06-10). The operational takeaway for any estate with desktop WinRAR: inventory and force-update, because the archived-fix assumption is exactly what these operators rely on.

A reminder that "patched" is not "remediated" where users don't update.

ctipilot v2 brief (migrated)
vulnerability14 Jun 23:57Zsingle-sourceOpen finding ↗
Sources: Trend Micro

2026-06-10 · view entry permalink →

NOTABLECVE-2025-8088exploited

Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain

Trend Micro documents two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year after the fix (Trend Micro, 2026-06-08). SHADOW-EARTH-066 (UAC-0226) delivers GIFTEDCROOK via crafted RAR archives with decoy PDFs and hidden ADS payloads that extract to the Startup folder and run in-memory PowerShell DLL loaders to steal passwords, cookies and documents from Chrome, Edge, Opera and Firefox; a separate Earth Dahu chain uses an HTA-to-VBScript dropper (The Hacker News, 2026-06-09). Both actors moved C2 off Telegram to dedicated servers after Russia's February 2026 Telegram block. The defender lesson is the persistence of an exploited entry point in unmanaged software: hunt wscript.exe/mshta.exe spawned from archive-extraction events, Startup-folder writes (Sysmon EID 11), and PowerShell script-block logging (EID 4104) for in-memory reflection. CVE-2025-8088 affects any unpatched WinRAR globally; ensure deployed versions are current (T1059.005, T1547.001, T1555.003).

Trend Micro documents two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year after the fix (Trend Micro, 2026-06-08).

ctipilot v2 brief (migrated)
research10 Jun 05:00Zmulti-sourceOpen finding ↗

Earlier coverage (1)