Technical Analysis: Advanced Reflective Loading via WinRAR Path Traversal (CVE-2025-8088)

Threat actors have evolved their exploitation capabilities by weaponizing a critical WinRAR path-traversal vulnerability, tracked as CVE-2025-8088. This campaign utilizes a sophisticated, multi-stage execution chain designed to bypass traditional file-based detection by leveraging memory-resident payloads and NTFS-level manipulation.

While the campaign reuses reconnaissance-themed lures previously associated with the UAC-0226/GIFTEDCROOK activity—specifically targeting Ukrainian interests—the operational packaging marks a significant leap in sophistication. Rather than relying on a user to manually trigger a visible malicious file, the adversary exploits the path traversal flaw to manipulate NTFS Alternate Data Streams (ADS).

The malicious RAR archive is engineered to write a stealthy .lnk shortcut directly into the current user’s Startup folder. Simultaneously, it drops two encoded payload stages into C:\ProgramData. Upon the victim’s next login, the planted shortcut executes a minimized Command Prompt (CMD) which spawns hidden PowerShell processes. These processes use the IEX (Invoke-Expression) command to execute a staged script located at C:\ProgramData\WC3, effectively eliminating the need for a suspicious remote download during the initial execution phase.

The PowerShell Loader: Obfuscation and Memory Injection

The PowerShell stage (WC3) is intentionally “noisy” to frustrate automated analysis. It is saturated with thousands of junk functions, randomized identifiers, and excessive Write-Host calls. However, buried within this noise is a highly compact execution core. After a 60-second sleep timer to evade sandbox environments, the script decodes a 1,131,008-byte blob (identified as wt1) using a simple additive cipher (subtracting 0x48 from each byte).

The loader then utilizes native Windows APIs—specifically NtAllocateVirtualMemory and NtProtectVirtualMemory—to allocate executable memory regions. Once the bytes are copied, it creates a new thread at a fixed offset of 0x173B0. As noted by Synaptics, this offset resolves to an exported function, Main.dll!Func, inside the reconstructed image. Crucially, this routine acts as a custom reflective PE mapper rather than the primary data-stealing logic itself.

The first 0x400 bytes constitute a custom header structure (Source: Synaptics).

Reflective PE Mapping and Evasion Tactics

The payload is not a conventional PE file on disk; it is a “headerless” image. It utilizes a small, custom metadata header to supply essential information required for reconstruction, including the original ImageBase (0x180000000), SizeOfImage (0x11A000), entry RVA, and relocation/import tables. This architecture is a potent evasion technique: because the file lacks standard MZ/PE headers on disk, it frequently bypasses static signature-based scanners.

The in-memory reflective mapper performs a full manual load: it walks the Process Environment Block (PEB) for API resolution, copies sections, resolves imports, applies relocations, and finally executes the DLL_PROCESS_ATTACH routine. To provide the operator with real-time feedback, the loader transmits 16 bytes of telemetry (mapping status, relocation success, etc.) to hxxps://142.111.194[.]73:8640/dj5FZEiLnA/. This is achieved after globally disabling TLS validation to ensure uninterrupted communication.

Data Exfiltration and Targeted Intelligence Gathering

Once the module is active, strings are protected via an RC4-like stream cipher operating on UTF-16 words. Reversing this layer reveals highly targeted collection modules. The payload is designed for comprehensive credential and data theft:

• Browser Harvesting: Targets Chromium-based browsers (Chrome, Edge, Opera) using CryptUnprotectData for cookies and credentials, and Firefox via logins.json and key3/key4.db.
• Sensitive Files: Aggregates VPN configurations (.ovpn), KeePass databases (.kdbx), and Java Keystores (.jks).
• Staging: Collected data is staged within user-profile directories and compressed into a randomly named ZIP container prior to exfiltration.

IIM comparison view (Source: Synaptics).

While the actor maintains infrastructure via evoxt.]com, they have implemented several defensive adjustments to evade EDR and YARA signatures, including rotating TLS certificates, shifting the callback port from 8406 to 8640, and utilizing randomized URL endpoints.