Hackers Weaponize WinRAR & NTFS Alternate Data Streams: The Silent Malware Extraction Attack + Video

By /

Listen to this Post

Featured Image

Introduction:

A path traversal vulnerability in WinRAR, tracked as CVE-2025-8088 (CVSS 8.4/8.8), continues to be actively exploited by Russia-aligned threat groups nearly a year after a patch was released. The flaw leverages NTFS Alternate Data Streams (ADS) within crafted RAR archives to silently write malicious payloads outside the extraction directory—often directly into the Windows Startup folder for automatic execution upon user login.

Learning Objectives:

  • Understand how CVE-2025-8088 abuses NTFS Alternate Data Streams to bypass directory traversal sanitization and achieve arbitrary file writes.
  • Analyze attack chains used by SHADOW-EARTH-066 (GIFTEDCROOK stealer) and Earth Dahu (Gamaredon) targeting Ukrainian organizations.
  • Learn step-by-step detection, forensic analysis, and system hardening techniques to identify and mitigate this threat in enterprise environments.

You Should Know:

  1. Deep Dive into the CVE-2025-8088 & NTFS ADS Exploitation Technique

The core of the attack lies in how vulnerable WinRAR versions (≤ 7.12) process the `STM` (Service) header blocks used to store NTFS-specific metadata. When a crafted RAR archive is extracted, WinRAR concatenates the target extraction path with a malicious stream name—for example, .\..\..\..\..\..\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.lnk—and writes the stream’s data to that location without sanitization. This results in a path traversal that places malware directly into locations granting automatic execution at next logon.

Step‑by‑step guide – How Attackers Craft a Malicious RAR (Simulated for Defensive Analysis):

  1. Create a decoy file (e.g., innocuous.pdf) and a malicious payload (e.g., `malicious.lnk` that launches a download cradle).
  2. Attach the LNK as an Alternate Data Stream to the PDF using PowerShell: 
    Set-Content -Path ".\innocuous.pdf:malicious.lnk" -Value (Get-Content ".\malicious.lnk" -Raw)
  3. Create a RAR5 archive containing the ADS-embedded file. Attackers often insert many “noise” entries to obscure the malicious streams.
  4. Deliver the archive via phishing email. When a user extracts it with WinRAR ≤ 7.12, the ADS content is written to the Startup folder without any visual warning.

Step‑by‑step guide – Safe Forensic Analysis Using the `rarADSExtractor` Tool:

Traditional tools like `unrar.exe` may trigger the vulnerability or fail to enumerate hidden streams. The open‑source `rarADSExtractor` provides a safe, Python‑only parser:

 Clone the repository and run the scanner
git clone https://github.com/tasox/rarADSExtractor.git
cd rarADSExtractor
python rarADSExtractor.py suspicious.rar

The tool dumps all ADS payloads, attempts decoding, and creates `.decoded.txt` files for inspection—all without invoking vulnerable binaries.

  1. Mapping the Attack Chains: From Phishing to Persistence

Two Russia‑aligned intrusion sets have integrated CVE-2025-8088 into their operations against Ukrainian military, government, and critical infrastructure:

SHADOW‑EARTH‑066 (UAC‑0226): Delivers the GIFTEDCROOK information stealer. The exploit chain places an LNK file in the Startup folder, which launches a PowerShell loader via cmd.exe. The loader injects `result.dll` into memory, harvesting browser passwords, cookies, and documents matching 35+ extensions before exfiltrating data to dedicated C2 servers and deleting forensic traces.

Earth Dahu (Gamaredon): Uses a script‑based infection chain. A crafted RAR writes a single HTA file to the Startup folder. Upon reboot, `mshta.exe` executes the HTA, which loads VBScript from Cloudflare Workers and dynamic DNS infrastructure, ultimately delivering espionage modules like GammaSteel.

Step‑by‑step guide – Detecting the Attacks Using Windows Commands and SIEM Queries:

  1. Check for unpatched WinRAR versions across endpoints (Windows): 
    wmic product where "name like 'WinRAR%'" get name,version

Mitigation: Update to WinRAR version 7.13 or later.

  1. Monitor the Startup folder for suspicious new files (Windows PowerShell): 
    Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" | 
Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

    Look for unexpected .lnk, .hta, .bat, or `.vbs` files.

  2. Detect ADS creation events via Sysmon Event ID 15 (FileCreateStreamHash) . Add this to your SIEM correlation rules:

    EventCode=15 TargetFilename contains ":" AND User contains "NT AUTHORITY"

3. Hardening and Mitigation: Closing the Gap

Because WinRAR lacks an automatic update mechanism, many systems remain vulnerable long after patches are available. Google’s Threat Intelligence Group emphasizes that the consistent exploitation method underscores a defensive gap in fundamental application security and user awareness.

Step‑by‑step guide – Immediate Mitigation Actions:

  1. Apply the official patch: Update all WinRAR installations to version 7.13 or later.
  2. Block RAR attachments at email gateways where possible. If required, enforce sandbox extraction.
  3. Deploy application allow‑listing (e.g., Windows AppLocker or third‑party solutions) to prevent execution of unknown binaries from `%TEMP%` and %LOCALAPPDATA%.
  4. Create a custom detection rule for directory traversal patterns in RAR files. Sample YARA rule: 
    rule WinRAR_ADS_PathTraversal {
strings:
$traversal = /..[\/]/
$ads_marker = ":[^:]+$"
condition:
$traversal and $ads_marker
}
  5. Enable PowerShell logging (ScriptBlock and Module logging) and monitor for `cmd.exe` spawning `powershell.exe` with download cradle patterns (-EncodedCommand, IEX, Invoke-Expression).

What Undercode Say:

  • Threat actors have turned a patched vulnerability into a reliable commodity. The continued exploitation of CVE-2025-8088 demonstrates that without forced automatic updates and centralised patch management, even known weaknesses remain viable for nation‑state and financially motivated groups for months or years after a fix exists.
  • The shift from Excel macros to WinRAR exploit chains reflects tactical evolution. SHADOW‑EARTH‑066 moved from plaintext Telegram exfiltration to encrypted C2, in‑memory DLL loading, and direct NT system calls—showing a rapid maturation in tradecraft that defenders must anticipate.

Prediction:

  • -1 The lack of auto‑update capabilities in WinRAR and similar third‑party utilities will continue to create a long‑tail exploit market, where n‑day vulnerabilities are weaponised for as long as outdated versions persist in enterprise environments.
  • -1 Adversaries will increasingly combine ADS‑based path traversal with other file system quirks (e.g., Zone.Identifier bypasses) to achieve stealthier initial access, making detection reliant on advanced EDR and behaviour‑based heuristics rather than static signatures.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Hackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: