Russia-Aligned Threats Target Ukraine via WinRAR: The Evolution of SHADOW-EARTH-066

Despite being addressed in the July 2025 patch cycle, CVE-2025-8088 remains a highly effective initial access vector. Current intelligence suggests that this WinRAR path traversal vulnerability is being actively leveraged by multiple sophisticated intrusion sets to target Ukrainian infrastructure.

Analysis spanning through April 2026 reveals two primary tactical implementations of this flaw. The first is a compiled-stealer chain deployed by a group we have tentatively identified as SHADOW-EARTH-066 (tracked by CERT-UA as UAC-0226). The second is an HTA-based espionage framework utilized by the Russia-aligned Earth Dahu (also known as Gamaredon). Both actors continue to iterate on their exploit samples, with Earth Dahu maintaining a highly active operational tempo.

At a technical level, the vulnerability exploits how WinRAR handles NTFS Alternate Data Streams (ADS) within RAR5 SERVICE headers. Versions of WinRAR prior to 7.13 failed to properly sanitize path traversal sequences embedded within these streams. An attacker can craft an archive that appears to contain a benign document—such as a PDF—while silently writing malicious payloads to sensitive directories like the Windows Startup folder or C:\ProgramData. This allows for persistence and execution during the next user login without requiring further interaction.

The combination of high stealth and the ubiquity of WinRAR makes this a low-friction, high-reward vector for credential theft and long-term espionage.

The Evolution of SHADOW-EARTH-066

The SHADOW-EARTH-066 campaign demonstrates significant operational maturation. Early iterations relied on relatively loud methods, such as macro-enabled Excel documents and plaintext exfiltration via Telegram. However, as noted by TrendAI, by 2026 the actor had transitioned to a more sophisticated pipeline involving CVE-2025-8088 delivery, an LNK-to-PowerShell loader, and a highly evasive in-memory DLL (result.dll).

When the archive is processed, it drops three specific ADS payloads: a Startup LNK file, an obfuscated PowerShell loader in C:\ProgramData, and an encoded DLL. The loader facilitates the execution of the DLL using direct NT syscalls—specifically NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx. By bypassing high-level Windows APIs, the malware effectively evades user-mode API hooks and standard file-based security products.

The result.dll component is an advanced evolution of the GIFTEDCROOK stealer. It is compiled for x86-64 and statically links libcurl to target Chromium-based browsers (incorporating an App-Bound Encryption bypass for modern Chrome versions), Firefox, and a wide array of document types. To maintain stealth, the malware employs several anti-analysis techniques:

• API Resolution: Uses PEB-walking combined with FNV-1a hashing to resolve functions.
• String Obfuscation: Employs dual-layer RC4 encryption for string tables.
• Evasion: Uses identity-function padding and PRNG-based execution delays to defeat automated sandboxes.

Exfiltration is conducted via dual-layer RC4 encryption followed by HTTPS POST requests to dedicated C2 servers. Once the data is sent, the malware aggressively wipes its staging artifacts to minimize the forensic footprint.

Earth Dahu: Script-Centric Espionage

In contrast, Earth Dahu employs a more script-heavy model. Their archives drop either an HTA file or an obfuscated VBS/VBE downloader into the Startup directory, which is then executed by mshta.exe upon user login. These HTA chains fetch VBScript from attacker-controlled infrastructure, often masked by Dynamic DNS or Cloudflare Workers, to deploy specialized espionage modules like GammaSteel.

Earth Dahu also utilizes sophisticated social engineering, frequently spoofing Ukrainian government domains. They often use the HTTP basic-auth @-notation in C2 URLs to deceive analysts and distribute lures that mimic legal summons or official government correspondence. Notably, some variants utilize path variations like Startup..\Startup to circumvent basic detection rules.

The Patching Paradox and Mitigation

A critical question arises: why does a vulnerability patched in 2025 remain so prevalent in 2026? The answer lies in the “Patching Paradox” regarding third-party utilities. Unlike enterprise software, WinRAR lacks centralized management capabilities; there is no Group Policy support, no WSUS/SCCM/Intune integration, and no native auto-update mechanism in many environments. This creates a massive, unmanaged blind spot across many organizations.

The operational value of CVE-2025-8088 is further underscored by its adoption by other high-profile Russia-aligned actors, including Sandworm, Turla, and Void Russia.

Recommended Defensive Actions:

• Immediate Updates: Audit all endpoints to ensure WinRAR is updated to version 7.13 or later.
• Email Security: Configure mail gateways to flag or block RAR attachments containing suspicious decoy files.
• Endpoint Detection (EDR): Ensure EDR policies are tuned to detect suspicious in-memory loading via direct NT syscall sequences.
• Asset Management: Conduct a thorough inventory of third-party utilities and implement compensating controls for applications that cannot be managed via centralized patch management tools.