{
  "name": "Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088",
  "slug": "analysis-of-gamaredon-campaign-targeting-ukraine-weaponizing-cve-2025-8088",
  "description": "A campaign exploiting the WinRAR path-traversal vulnerability CVE-2025-8088 has been actively targeting Ukraine since February 2026, with ongoing activity through June 2026. The operation uses Ukrainian military and conscription-themed documents as lures, distributed as RAR archives. The malicious archives contain NTFS alternate data streams with path-traversal sequences that automatically place LNK files into the Windows Startup folder upon extraction. These shortcuts execute hidden PowerShell stagers incorporating anti-analysis techniques including debugger checks, disk-space verification, and sleep delays to evade sandbox detection. The persistent nature of the attacks demonstrates continuous targeting of Ukrainian entities over a four-month period using social engineering focused on military documentation themes.",
  "published": "2026-06-19T04:31:48.774000+00:00",
  "created_at": "2026-06-19T08:39:16.301000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-19T08:39:16.301000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "conscription-themed",
    "cve-2025-8088",
    "gamaredon",
    "military-lures",
    "path-traversal",
    "persistence",
    "powershell",
    "ukraine",
    "winrar"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "67c94d1a-bec7-4084-8fb9-15dd2dc6fb57",
        "name": "CVE-2025-8088"
      }
    ],
    "indicators": [
      {
        "id": "f90d2f7b-0822-4b9f-a8d3-b39c742def84",
        "name": "cb65f5873c72d707371ec56fb8ba501a5c7f5940e9c5a2d28c9b379ce216900c"
      },
      {
        "id": "b84948c0-e689-4d93-b196-a5a5eb0732a1",
        "name": "507b2fcdae058cebbd550965b90c44e878d7a2463058c846eeb68f0dc1b48eda"
      },
      {
        "id": "7c282ca0-d1a9-4ac0-ac3d-461e3b6fe053",
        "name": "bf338d88f60c0d352cd0d1b5e4bc6a1d9f1ac8fe1df48516ec0042cafda821e9"
      },
      {
        "id": "4e8e924e-22c8-4b92-a54a-ae29f872ebf1",
        "name": "2add9429d2822ae0c01c08bbd66c3a110ef2e9c3a00cded1477657e9024e391e"
      },
      {
        "id": "1d1c0ed1-80cd-449d-9645-5314b01e697e",
        "name": "1c170b7470d507378ddb78e9d66305f1184e965baaf2d27ededb23a318a58953"
      },
      {
        "id": "48f8792b-1871-44e5-8618-460745645172",
        "name": "1ebbdf3671cd5ca25a8a8e7ca2f6e46dd22c631e01bfcc5c909ae2fd680bf458"
      },
      {
        "id": "64c3d661-567d-4aa8-b4fd-3701ac40732a",
        "name": "f668bd551859007cf2cc2a62bf0bf5414870a04e9782590c9bf85c849ddb308b"
      },
      {
        "id": "6a6a570d-36a9-4366-bf86-051400344156",
        "name": "f9d2907d6b1de3078a0f111cc98764a92baf5ebd06cc8ab02637a65eff3b7f3a"
      },
      {
        "id": "7afe6ecc-492f-47ad-aa1b-64bef4be820b",
        "name": "0a9bc91e7ea2c3931f662eea37c00c7c26c8996b65f6f7afe6cce8f6114f94b6"
      },
      {
        "id": "f7447f0d-cc3d-4652-a56a-a5f530453bb3",
        "name": "39dd1bd3bccc314d8933e5c41ed2ab084e4e20af569f77b7cf09abc5855b9483"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c30f74e1-f00a-47b0-bb1f-9c7a8c614b8a",
        "name": "Gamaredon",
        "slug": "gamaredon"
      }
    ],
    "attack_patterns": [
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "b55f705d-087e-4929-96da-a925e5f186fc",
        "name": "T1564.004"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c998d878-b668-40dd-a84c-9ca7f73caaa4",
        "name": "T1497.003"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      }
    ]
  },
  "external_refs": [
    {
      "id": "e1d3f1fa-1e16-4d19-8dfd-e21af2976857",
      "standard_id": "external-reference--82b26b80-9255-5db4-bafd-cc786771820b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://x.com/nextronresearch/status/2067508038542545203",
      "hash": null,
      "external_id": null,
      "created": "2026-06-19T08:39:16.238Z",
      "modified": "2026-06-19T08:39:16.238Z",
      "createdById": null
    },
    {
      "id": "ca0aa46e-e68a-4d7a-8604-ab1368a525c1",
      "standard_id": "external-reference--da288eda-c60d-5357-b538-9149e7cb4a4e",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a34c6344468a941c924c02c",
      "hash": null,
      "external_id": "6a34c6344468a941c924c02c",
      "created": "2026-06-19T08:39:16.214Z",
      "modified": "2026-06-19T08:39:16.214Z",
      "createdById": null
    }
  ]
}