New Phishing Campaign by Gamaredon Targets Government Entities via WinRAR Zero-Day Exploit

By Azhar Khan
New Phishing Campaign by Gamaredon Targets Government Entities via WinRAR Zero-Day Exploit

Date: October 29, 2025

Overview: The Russian-linked threat actor Gamaredon has launched a sophisticated spear-phishing campaign targeting government ministries, diplomatic services, parastatals and administrative agencies in Eastern Europe and NATO-adjacent countries. In a significant escalation of its tactics, the group is exploiting the previously publicised CVE‑2025‑8088 path-traversal vulnerability in WinRAR to deposit malicious payloads into startup folders of compromised systems with minimal user interaction.

Attack chain & delivery mechanism: The campaign begins with highly tailored spear-phishing emails that appear to originate from trusted agencies or internal collaborators. Recipients receive weaponised RAR archives containing:

  • A benign-looking PDF document as the lure;
  • A malicious HTA (HTML application) file and other payload components hidden inside the archive.
Once the archive is opened, the WinRAR vulnerability triggers a path-traversal extraction sequence that places the malicious HTA into the Windows Startup folder or other autorun paths — without the user realising anything unusual. The HTA executes upon next system start, enabling persistent backdoor installation.

Technical sophistication & infrastructure: Security researchers have observed three primary C2 infrastructure clusters tied to this campaign:

  • create-pdf.serveftp[.]com
  • furnishings-ranger-lodge-assists.trycloudflare[.]com
  • acess-pdf.webhop[.]me
These domains are hosted on high-resilience cloud platforms and leverage fast-flux DNS to complicate takedowns. Payloads employ multi-stage loaders that initially conduct reconnaissance, dump credentials (including LSASS memory dumps and SAM database extractions), then install modular RATs and backdoors. Notably, the group uses .lnk shortcuts, COM hijacking, and process-injection techniques to evade sandboxing and detection.

Victimology & target profile: Gamaredon is traditionally associated with espionage operations against Ukrainian government entities and military organisations. In this wave, however, the targeting appears broader — encompassing:

  • State ministries of economic and foreign affairs;
  • National statistical offices;
  • Regional development agencies;
  • Municipal authorities in NATO-adjacent states.
The shift suggests the actor is expanding its reach, potentially to gather intelligence from allied governments and non-military institutions. Observers have noted that the phishing emails mimic internal dispatches or partner-agency briefings, increasing the likelihood of click-through in government environments.

Impact & risk assessment: While there are no confirmed reports yet of operational disruption or public data leaks, the campaign presents high-risk possibilities:

  • Initial access and persistent presence inside government networks;
  • Credential theft of privileged accounts or vendor/service accounts;
  • Lateral movement toward sensitive infrastructure or intelligence repositories;
  • Future data exfiltration or ransomware-style extortion using compromised archives.
Given the extraction via trusted archival formats and minimal user interaction required, defenders are advised to assume compromise upon detection of relevant IoCs.

Defender guidance & remediation steps:

  • Immediately deploy the vendor-released patch for WinRAR (version 7.13 or later) to mitigate CVE-2025-8088.
  • Implement application-allowlisting and block execution of HTA, LNK and other non-standard executable or script formats within Startup, Temp, and user profile directories.
  • Audit user directories, especially Windows Startup folders, Scheduled Tasks, and WMI subscriptions for recently added or unusual entries.
  • Enable and enforce strong multi-factor authentication (MFA) on all accounts, especially admin/service accounts in government networks.
  • Deploy and monitor EDR/EDR-like solutions for process injection, credential-dumping behaviour (e.g., LSASS memory access), COM hijacking, and external C2 communication using suspicious cloud or fast-flux domains.
  • Conduct threat hunting using known IoCs: RAR archives with internal path traversal indicators (e.g., “..\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup”), inbound emails with RAR attachments named as documents or briefings, and connectivity to domains matching the campaign’s C2 infrastructure patterns.

Detection indicators of compromise (IoCs): Key artefacts linked to this campaign include:

  • RAR files that extract content into user Startup folders via “..\\” sequences in archive.
  • HTA files located in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup that reference benign-looking filenames but execute malicious payloads.
  • Outbound HTTPS or HTTP traffic to domains under *.serveftp.com, *.trycloudflare.com, or *.webhop.me associated with this campaign.
  • Use of shortcuts (.lnk) or stolen tools such as a tampered PuTTY-CAC binary for persistence and anti-analysis.
Organizations should sweep endpoint logs, network logs, and archive-extraction histories to detect these footprints before adversaries begin exfiltration or deeper lateral movement.

Wider implications & strategic context: This new campaign demonstrates the evolving sophistication of Gamaredon and similar state-linked actors. The use of a widely used utility (WinRAR) vulnerability to achieve persistence and spread within government networks underscores several key trends:

  • File-archiver exploits are gaining prominence as initial access vectors, bypassing classic user-awareness defenses where opening an archive is seen as low risk.
  • Threat actors are increasingly exploiting auxiliary services (document archives, collaboration tools, external vendor portals) rather than directly attacking core infrastructure, thereby reducing detection risk.
  • The adjacency of persistent access — rather than immediate disruption — allows the adversary to establish long-term espionage footholds, increasing potential reach into critical national-security systems.
Public-sector organisations and ministries should revisit their supply-chain, archive handling and extraction security policies, as these lateral vectors are becoming primary attack paths in targeted campaigns.

What to expect next: Analysts anticipate follow-on phases from this campaign that may include:

  • Credential harvesting and deployment of service-account backdoors;
  • Movement into OT/ICS domains in hybrid government/industrial environments where agencies interface with national infrastructure;
  • Data exfiltration or double-extortion threats targeting sensitive government information;
  • Increased use of cloud-based or fast-flux C2 infrastructure to delay or impede takedown efforts.
Threat monitoring organisations have already flagged this activity as “high-priority espionage campaign” and urge affected nations to share intelligence and defensive measures publicly.

Takeaway: The latest Gamaredon campaign is a stark reminder that even mature government networks remain vulnerable to archive-based exploits and sophisticated adversarial campaigns. The combination of a zero-day archive tool vulnerability, trusted document lures, and built-in persistence mechanisms elevates this event to a severe risk. At this juncture, organisations must assume full trust has been breached once extraction occurs, prioritise containment, forensic investigation, credential resets, and external communication with national cybersecurity centres. Maintaining perimeter defences is no longer sufficient — visibility into archive handling, process persistence and lateral movement has become mission-critical.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.