Operation FiyatTeklifi -- CVE-2025-8088 WinRAR Exploit Delivering Turkish Telegram RAT

TLP: WHITE Date: 2026-04-05 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Turkish-speaking threat actor Status: LIVE CAMPAIGN -- C2 active, 1 victim confirmed

Executive Summary

A Turkish-speaking threat actor is exploiting CVE-2025-8088, a WinRAR vulnerability that abuses NTFS Alternate Data Streams (ADS) with path traversal, to deliver a sophisticated Python-based Telegram RAT to victims in Turkey and Germany. The attack chain begins with a RAR archive named "fiyat teklifi.rar" (Turkish for "price quote") containing a decoy PDF and 30 malicious ADS entries that write a .NET downloader ("Updater.exe") to the Windows Startup folder. This downloader fetches a 76MB PyInstaller-packed Telegram RAT ("WindowsServices.exe") from a Google Cloud C2 server at 34[.]69[.]246[.]76. The RAT, version 1.0.8, provides full remote control including keylogging, webcam capture, screen recording, file exfiltration via FTP, voice recording, browser data theft, and a multi-victim leader-election system. At time of investigation, one active victim was identified on TurkNet ISP in Istanbul, Turkey. The Telegram bot (@Roberta3358_bot) and all C2 infrastructure remain LIVE.

Key Findings

• CVE-2025-8088 exploit uses 30 ADS path traversal variants (backslash, forward slash, space-padded) at depths 1-10 to guarantee payload placement regardless of extraction directory depth
• C2 server (34[.]69[.]246[.]76, Google Cloud) openly serves the second-stage at hxxp://34[.]69[.]246[.]76/data/WindowsServices.exe with a root page reading "OK - use /data/WindowsServices.exe"
• Telegram bot token and FTP credentials extracted via PBKDF2+XOR decryption (key: "MaQ_S3cur3_K3y_2024_Pr0t3ct3d!")
• One active victim identified: Windows 11 user "Rst-d" on host B7C9A907627802D at 95[.]70[.]214[.]153 (TurkNet, Istanbul)
• Multi-victim architecture: Leader election via /data/lock_api.php prevents multiple bot instances from polling Telegram simultaneously
• FTP exfiltration: Stolen data uploaded to FTP on the same C2 (ftpuser/Kxev8RHwmmT8L7YA)
• UAC bypass: Uses Fodhelper technique for privilege escalation
• Anti-analysis: VM artifact detection, system resource checks, random sleep delays, IsDebuggerPresent
• Turkish-language code comments throughout: function docstrings in Turkish confirm native Turkish speaker
• PDF decoy: Generated by ReportLab Python library, timestamp UTC+3 (Turkey timezone)
• WindowsServices.exe is NOT YET ON VIRUSTOTAL -- novel second-stage sample (SHA256: 59100fba79307120816c9733e38d85a2c9b769905f1a8177863a5b97255ca46e)

Attack Chain

[Email/Social Engineering]
  "fiyat teklifi.rar" (price quote)
    |
    v
[CVE-2025-8088 -- WinRAR ADS Path Traversal]
  30 ADS entries: ..\..\..\AppData\..\Startup\Updater.exe
  _wr_storage_pad_5288.bin (31MB null padding)
  fiyat teklifi.pdf (decoy -- ReportLab generated)
    |
    v
[Updater.exe -- .NET Downloader, 6.6KB]
  Written to Startup folder via ADS exploit
  Downloads from: hxxp://34.69.246.76/data/WindowsServices.exe
    |
    v
[WindowsServices.exe -- PyInstaller Python RAT, 76MB]
  Written to: Startup\WindowsServices.exe
  Persistence via Startup folder
    |
    v
[Telegram C2 -- @Roberta3358_bot]
  Full RAT capabilities:
  - Keylogging (pynput)
  - Screen capture/recording (mss, cv2)
  - Webcam capture (cv2)
  - Voice recording (pyaudio)
  - File manager with FTP exfil
  - Browser data theft (history, cookies, bookmarks)
  - Process management
  - System info collection
  - Network recon (ping, port scan)
  - USB monitoring
  - Clipboard monitoring
  - Mouse/keyboard control
  - Text-to-speech
  - Wallpaper change
  - Input blocking
  - Self-destruct
  - Self-update
  - Remote shell (cmd.exe)
  - File download from URL to disk
  - Windows Defender disable (PowerShell)
  - UAC bypass (Fodhelper)
    |
    v
[FTP Exfiltration]
  ftp://34.69.246.76 (ftpuser)
  Per-victim directories for stolen data

Infrastructure Analysis

C2 Server

IP	ASN	Provider	Ports	Services	Status
34[.]69[.]246[.]76	AS15169	Google Cloud	22, 80, 21	OpenSSH 9.2p1, nginx/1.22.1, vsftpd	LIVE

• Reverse DNS: 76[.]246[.]69[.]34[.]bc[.]googleusercontent[.]com
• HTTP root: Returns "OK - use /data/WindowsServices.exe" (35 bytes, text/plain)
• Active API endpoints:
  • /data/lock_api.php -- Leader election (returns JSON)
  • /data/list_pcs -- Victim registry (returns JSON with active victims)
  • /data/WindowsServices.exe -- Payload delivery (80MB, last modified 2026-04-04 21:07 UTC)
• FTP: vsftpd, login successful with ftpuser/Kxev8RHwmmT8L7YA (data transfer blocked externally)
• No TLS: All traffic unencrypted HTTP

Telegram Bot

Parameter	Value
Bot Username	@Roberta3358_bot
Bot First Name	robertabot
Bot ID	8657771413
Token	8657771413:AAFdkOrT2cuJ5Iebl6Cjl7vHaWI28dvNrlc
Admin Chat ID	8657771413
Notify Channel ID	-1003662944130
Bot Password	333893+++

Victim Registry (Live at time of investigation)

PC Hash	Hostname	IP	ISP	OS	Username	Version	Last Seen
d033707d015b	B7C9A907627802D	95[.]70[.]214[.]153	TurkNet (Istanbul, TR)	Windows 11	Rst-d	1.0.8	2026-04-05 ~01:30 UTC

Malware Analysis

Stage 1: fiyat teklifi.rar (CVE-2025-8088 Exploit)

Property	Value
SHA256	07f2d8f3a9c9430d91620d6a8b83c20dc9d020f00b7066b3ff9bd0fec20b7c2d
MD5	ed029c8a13695830139de2b222827940
File Type	RAR v5
Size	31,424,554 bytes (30 MB)
Created	2026-03-23 07:47:01 UTC
VT Detection	11/76
MalwareBazaar	First seen 2026-04-04 19:39:20
Reporter	smica83

CVE-2025-8088 Mechanism: The RAR contains 30 NTFS Alternate Data Streams (ADS) attached to the PDF decoy file. Each ADS uses path traversal at increasing directory depths (1-10) with three separator styles (backslash, space-padded backslash, forward slash) to target %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe. The _wr_storage_pad_5288.bin (31MB null file) serves as padding to manipulate RAR internal offsets. When a vulnerable WinRAR extracts this archive, it writes the ADS payload (Updater.exe) to the Startup folder regardless of the extraction directory depth.

Stage 2: Updater.exe (.NET Downloader)

Property	Value
SHA256	f130fafb1d81adb66184751b96b8673fbbff7118990753f97c3a1ef33ee0fd84
File Type	.NET PE32 (Win32 EXE)
Size	6,656 bytes
CLR Version	v4.0.30319
Imphash	f34d5f2d4577ed6d9ceec516c1f5a744
PE Timestamp	2026-03-21
Assembly Name	Updater.exe
VT Detection	17/76

Behavior: Downloads WindowsServices.exe from hxxp://34[.]69[.]246[.]76/data/WindowsServices.exe and places it in the Startup folder for persistence.

Stage 3: WindowsServices.exe (Python Telegram RAT)

Property	Value
SHA256	59100fba79307120816c9733e38d85a2c9b769905f1a8177863a5b97255ca46e
MD5	8d8a1c2f7831b0d99d5170047d3178f0
File Type	PE32+ (x86-64) PyInstaller
Size	80,039,279 bytes (76 MB)
PE Timestamp	2026-04-04 21:05 UTC
Python Version	3.13
Packer	PyInstaller 2.1+
VT Status	NOT SUBMITTED
RAT Version	1.0.8
Source Filename	app.pyw

Capabilities (MITRE ATT&CK mapped below):

• Persistence: Startup folder (Updater.exe and WindowsServices.exe)
• Privilege Escalation: Fodhelper UAC bypass
• Defense Evasion: Disable Windows Defender via PowerShell, VM detection, anti-analysis stalling
• Credential Access: Browser cookie/password theft (Chrome, Firefox, Edge)
• Discovery: System info, network info, process listing, installed programs, Wi-Fi passwords
• Collection: Keylogging (pynput), clipboard monitoring (pyperclip), screen recording (mss+cv2), webcam (cv2), voice recording (pyaudio), file browsing, USB monitoring
• Exfiltration: FTP upload to C2, Telegram file transfer
• Command and Control: Telegram Bot API with leader election
• Impact: Input blocking, wallpaper change, TTS output, self-destruct

Encryption: Config values encrypted with PBKDF2-HMAC-SHA256 (key: MaQ_S3cur3_K3y_2024_Pr0t3ct3d!, salt: maq_salt_v1, 100000 iterations) + XOR with base85-encoded ciphertext.

Leader Election: Multi-victim management system using HTTP-based lock (/data/lock_api.php). Prevents multiple infected machines from polling the Telegram bot simultaneously. Supports preferred master selection via /data/set_preferred_master.

Threat Actor Profile

Attribution Assessment

• Confidence: HIGH
• Language: Turkish (native speaker -- function docstrings, variable names like ekran_goruntusu [screenshot], Analiz araclarini atlatmak [bypass analysis tools])
• Country/Region: Turkey (UTC+3 timestamps, TurkNet victim, Turkish filename)
• Motivation: Financial / Surveillance (comprehensive RAT capabilities suggest cybercrime or targeted surveillance)
• Sophistication: MEDIUM -- competent Python developer, uses CVE exploit in RAR, PBKDF2 config encryption, but operational security is poor (plaintext HTTP, FTP with hardcoded creds, no C2 domain -- raw IP only)
• OPSEC Failures:
  • Hardcoded encryption key with obvious naming convention (MaQ_S3cur3_K3y_2024_Pr0t3ct3d!)
  • C2 root page literally announces payload URL
  • Victim list API (/data/list_pcs) accessible without authentication
  • Lock API accessible without authentication
  • FTP credentials embedded in binary
  • Bot token reuses admin user ID as chat ID
  • No domain name -- raw IP only (easy to take down)
  • Same Google Cloud instance for C2, FTP, and payload hosting (single point of failure)

Possible Actor Identifiers

• Encryption key pattern: "MaQ" prefix suggests personal identifier or project name
• Bot name: "Roberta" / "robertabot" -- possible alias or girlfriend/family name
• Password: "333893+++" -- possible personal number with pattern
• Key year: "2024" in encryption key suggests development started in 2024

Campaign Context: CVE-2025-8088 in the Wild

This sample is part of a broader wave of CVE-2025-8088 exploitation. MalwareBazaar shows multiple samples with the same CVE tag, several targeting Ukraine with filenames in Ukrainian (military-themed documents including court summons and military registry records). The Turkish sample represents a DIFFERENT campaign from the Ukrainian ones:

Sample	Language	Target	ClamAV Signatures
fiyat teklifi.rar	Turkish	Germany/Turkey	None
В��конавчий_лист_*.rar	Ukrainian	Ukraine	TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088
Судова_повiстка_*.rar	Ukrainian	Ukraine	TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088
Запит_*.rar	Ukrainian	Ukraine	TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088
Вiдомостi_з_реєстру_*.rar	Ukrainian	Ukraine	TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088

The Ukrainian samples are detected by ClamAV with "HongKongGarden" and "GhettoSuperstream" signatures while the Turkish sample has NO ClamAV detection, suggesting a different builder/toolchain.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing Attachment	T1566.001	RAR archive via email ("fiyat teklifi"/price quote)
Execution	User Execution: Malicious File	T1204.002	User opens RAR, triggering CVE-2025-8088
Execution	Command and Scripting Interpreter: Python	T1059.006	PyInstaller-packed Python RAT
Persistence	Boot or Logon Autostart: Startup Folder	T1547.001	Both Updater.exe and WindowsServices.exe in Startup
Privilege Escalation	Abuse Elevation Control: Bypass UAC	T1548.002	Fodhelper UAC bypass
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	PowerShell disables Windows Defender
Defense Evasion	Virtualization/Sandbox Evasion	T1497.001	VM artifact checks, resource checks, anti-analysis sleep
Credential Access	Steal Web Session Cookie	T1539	Browser cookie theft
Discovery	System Information Discovery	T1082	OS, hostname, username, IP collection
Discovery	Process Discovery	T1057	Running process enumeration
Discovery	Software Discovery	T1518	Installed program listing
Collection	Input Capture: Keylogging	T1056.001	pynput keyboard listener
Collection	Screen Capture	T1113	mss screenshot capture + cv2 recording
Collection	Video Capture	T1125	OpenCV webcam capture
Collection	Audio Capture	T1123	PyAudio voice recording
Collection	Clipboard Data	T1115	pyperclip clipboard monitoring
Exfiltration	Exfiltration Over Alternative Protocol	T1048	FTP upload to C2
Command and Control	Application Layer Protocol: Web	T1071.001	Telegram Bot API for C2
Impact	Data Manipulation	T1565	Wallpaper change, input blocking, TTS

IOC Summary

Network Indicators

• 34[.]69[.]246[.]76 (Google Cloud -- C2, FTP, payload delivery) -- LIVE
• hxxp://34[.]69[.]246[.]76/data/WindowsServices.exe (payload URL) -- LIVE
• hxxp://34[.]69[.]246[.]76/data/lock_api.php (leader election API) -- LIVE
• hxxp://34[.]69[.]246[.]76/data/list_pcs (victim registry) -- LIVE

Telegram Indicators

• Bot: @Roberta3358_bot (ID: 8657771413)
• Token: 8657771413:AAFdkOrT2cuJ5Iebl6Cjl7vHaWI28dvNrlc
• Admin Chat ID: 8657771413
• Notify Channel: -1003662944130

File Indicators

File	SHA256	MD5
fiyat teklifi.rar	07f2d8f3a9c9430d91620d6a8b83c20dc9d020f00b7066b3ff9bd0fec20b7c2d	ed029c8a13695830139de2b222827940
Updater.exe	f130fafb1d81adb66184751b96b8673fbbff7118990753f97c3a1ef33ee0fd84	(from VT bundled)
WindowsServices.exe	59100fba79307120816c9733e38d85a2c9b769905f1a8177863a5b97255ca46e	8d8a1c2f7831b0d99d5170047d3178f0
fiyat teklifi.pdf	dc4268f52b742829a105c0d89498c24b2dfffd6c8a8ca99bb447b47b9661718a	183542d56d6bfd3604a78ad3ed7ac4e9

Behavioral Indicators

• Startup folder persistence: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe
• Startup folder persistence: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.exe
• PyInstaller temp directory: %TEMP%\_MEI*
• HTTP download from raw IP to Startup folder
• FTP connection to 34[.]69[.]246[.]76 (port 21)
• Telegram Bot API connections
• Registry key: Software\Classes\ms-settings\Shell\Open\command (Fodhelper UAC bypass)
• PowerShell execution with -ExecutionPolicy Bypass -WindowStyle Hidden (Defender disable)
• Screenshot file: ekran_goruntusu.jpg

Encryption Artifacts

• Key: MaQ_S3cur3_K3y_2024_Pr0t3ct3d!
• Salt: maq_salt_v1
• Algorithm: PBKDF2-HMAC-SHA256 (100000 iterations) + XOR
• Encoding: Base85

Recommended Actions

Immediate (24-48 hours)

1. Block IOCs: Add 34[.]69[.]246[.]76 to firewall blocklists
2. Hunt for Updater.exe/WindowsServices.exe in Startup folders across enterprise
3. Report to Google Cloud abuse: GCP Abuse Report for IP 34[.]69[.]246[.]76
4. Report Telegram bot: Report @Roberta3358_bot to Telegram abuse
5. Alert TurkNet/TR-CERT: Active victim at 95[.]70[.]214[.]153

Short-term (1-2 weeks)

1. Update WinRAR: Patch CVE-2025-8088 across all endpoints
2. Deploy YARA rules (below) for Updater.exe and RAT detection
3. Deploy Suricata rules (below) for C2 traffic detection
4. Monitor Telegram: Check for bot token rotation

Medium-term (1-3 months)

1. Track actor: Monitor "MaQ" encryption key pattern across future samples
2. WinRAR policy: Consider blocking RAR extraction with ADS in enterprise environments
3. PyInstaller detection: Flag large PyInstaller executables in Startup folder

Abuse Reports

Google Cloud (GCP)

• Subject: Active malware C2 server on Google Cloud
• IP: 34.69.246.76
• Evidence: Serves malware payload at /data/WindowsServices.exe, C2 APIs at /data/lock_api.php and /data/list_pcs, FTP exfiltration server
• Last confirmed active: 2026-04-05 01:30 UTC

Telegram

• Subject: Telegram bot used as C2 for RAT malware
• Bot: @Roberta3358_bot (ID: 8657771413)
• Evidence: Bot token hardcoded in malware, used for remote control of infected machines including keylogging, webcam capture, and data exfiltration

TR-CERT (Turkey)

• Subject: Active malware victim in Turkey
• Victim IP: 95.70.214.153 (TurkNet ISP, Istanbul)
• Evidence: Victim registry on C2 shows active Windows 11 infection, username Rst-d
• Malware: Custom Telegram RAT with comprehensive surveillance capabilities

References

• MalwareBazaar: https://bazaar.abuse.ch/sample/07f2d8f3a9c9430d91620d6a8b83c20dc9d020f00b7066b3ff9bd0fec20b7c2d/
• VirusTotal: https://www.virustotal.com/gui/file/07f2d8f3a9c9430d91620d6a8b83c20dc9d020f00b7066b3ff9bd0fec20b7c2d
• CVE-2025-8088: WinRAR NTFS ADS path traversal via crafted RAR archives
• Source: @smica83 on X/Twitter

---

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."

Cross-Campaign Analysis: XWorm/backupallfresh Comparison

The XWorm V6.0 campaign investigated on 2026-04-03 (backupallfresh2030) shares several characteristics with this campaign:

Attribute	FiyatTeklifi (This Campaign)	XWorm/backupallfresh
Language	Turkish	Turkish
Target	Germany/Turkey	International/Germany
RAT Type	Custom Telegram RAT (Python)	XWorm V6.0 (.NET)
Delivery	CVE-2025-8088 WinRAR exploit	JS dropper, BAT, trojanized Python
Persistence	Startup folder (ADS)	Registry Run, schtasks, Startup
UAC Bypass	Fodhelper	VBS elevation
C2	Direct IP (Google Cloud)	Telegram/GitHub/Blogspot
Reporter	@smica83	@smica83, @JAMESWT_WT
Actor Email	Unknown	flexhere687@gmail.com
Sophistication	Medium	Medium
Turkish Strings	ekran_goruntusu, Analiz	sigortasevdalisi, Yonetici izni

Assessment: These are likely DIFFERENT actors within the Turkish cybercrime ecosystem. The technical overlap is limited to language and geographic targeting. The MaQ RAT author appears more focused on single-target surveillance (leader election, FTP exfil), while the XWorm actor is running a broader commodity RAT campaign. However, both being reported by the same researcher within days of each other suggests an active Turkish threat actor cluster currently targeting German and Turkish victims. Confidence: MEDIUM that these are separate operators; LOW that they are the same actor.