Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS). It was patched by WinRAR in July 2025.
The findings show “how unmanaged software keeps an exploited entry point open long after the fix ships,” Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said in an analysis published Monday.
The WinRAR exploit chain exploited by SHADOW-EARTH-066 is a departure from Excel macro droppers previously used by the threat actor to deliver an information stealer called GIFTEDCROOK. The latest iteration makes use of crafted RAR archives featuring a decoy PDF document and three hidden ADS payloads that are outside the extraction directory to initiate the infection.
This includes a Windows Shortcut (LNK) file that’s placed in the Startup folder so that it’s automatically executed every time a user logs in. This, in turn, spawns a PowerShell loader via “cmd.exe,” which then uses in-memory DLL loading to ultimately launch an updated version of GIFTEDCROOK (“result.dll”).
The malware targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, and Opera) and Mozilla Firefox, in addition to harvesting documents matching certain extensions from the victim’s machine. Once the data is exfiltrated to an external server, all malicious artifacts are deleted to cover up the forensic trail.
A notable change is the shift from Telegram as an exfiltration channel to dedicated command-and-control (C2) servers, a key modification that likely aligns with Russia’s blocking of the messaging platform in the country earlier this February.
The second Russia-affiliated hacking group to weaponize CVE-2025-8088 is Earth Dahu, which has incorporated the flaw into its arsenal since at least September 2025. The adversary is known for its “industrial-scale effort” to maintain long-term access to compromised organizations.
“Earth Dahu used the vulnerability with an HTA-to-VBScript infection chain that delivered espionage modules,” Trend Micro noted. “Based on RAR internal file timestamps and file naming conventions, the chain remained active through at least April 10, 2026.”
These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad. The intermediate downloader subsequently delivers additional modules like GammaSteel.
GammaLoad is “a collection of VBScripts designed to ensure continuous access and deploy…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
