Full Report
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an
Analysis Summary
The following report summarizes the threat actor activity detailed in the article regarding the exploitation of WinRAR vulnerabilities.
# Threat Actor: Earth Dahu (aka Gamaredon) & SHADOW-EARTH-066 (aka UAC-0226)
## Attribution & Identity
The activity is attributed to two distinct Russia-aligned clusters:
* **Earth Dahu:** Widely known as **Gamaredon**, an established state-backed group frequently linked to the Russian FSB.
* **SHADOW-EARTH-066:** Also identified as **UAC-0226**, an independently tracked cluster/group aligned with Russian interests.
## Activity Summary
Since late 2025 and continuing through April 2026, both groups have been exploiting **CVE-2025-8088**, a path traversal vulnerability in WinRAR. Despite a patch being released in July 2025, these actors target unmanaged software installations in Ukraine to deploy information stealers and maintain long-term persistence within compromised organizational networks.
## Tactics, Techniques & Procedures
* **Exploitation of CVE-2025-8088:** Use of crafted RAR archives utilizing NTFS Alternate Data Streams (ADS) to write files outside the extraction directory.
* **Persistence Mechanisms:** SHADOW-EARTH-066 places Windows Shortcut (LNK) files in the `\Startup` folder for boot-time execution.
* **Living-off-the-Land (LotL):** Use of `cmd.exe` to spawn PowerShell loaders.
* **In-Memory Execution:** Use of in-memory DLL loading to bypass traditional file-based antivirus detection.
* **Anti-Forensics:** Deletion of all malicious artifacts and payloads after successful data exfiltration.
* **Dead Drop Resolvers (DDR):** Gamaredon uses DDRs to retrieve command-and-control (C2) information and update payloads.
* **Phishing/Social Engineering:** Deployment of HTA (HTML Application) files to initiate the infection chain.
## Targeting
* **Sectors:** Various Ukrainian organizations.
* **Geography:** Primarily Ukraine.
* **Victims:** Government and private organizations where WinRAR is embedded in daily operations.
## Tools & Infrastructure
* **Malware Families:**
* **GIFTEDCROOK:** An updated info-stealer targeting Chromium-based browsers, Firefox, and specific document extensions.
* **GammaPhish / GammaLoad:** HTA and VBScript downloaders.
* **GammaSteel:** A sophisticated info-stealer capable of real-time file monitoring.
* **Infrastructure:**
* **C2 Transition:** SHADOW-EARTH-066 has shifted from Telegram-based exfiltration to dedicated C2 servers (likely due to Russian blocks on Telegram).
* **C2 Format (Defanged):** [h]xxp[://]dedicated-c2-server[.]com
## Implications
* **Strategic persistence:** Gamaredon’s use of "industrial-scale" efforts suggests Russia’s intent to maintain a permanent foothold in Ukrainian infrastructure for long-term intelligence gathering.
* **Vulnerability Longevity:** The campaign highlights the high success rate of "N-Day" vulnerabilities (old, patched flaws) in regions where software patch management is inconsistent.
* **Evolution of Tradecraft:** The move away from common platforms like Telegram toward dedicated C2 infrastructure indicates a need for more resilient and state-controlled exfiltration routes.
## Mitigations
* **Immediate Patching:** Update WinRAR to the latest version (v6.23 or newer) to remediate the path traversal flaw (CVE-2025-8088).
* **Software Audit:** Conduct an audit of "unmanaged" software on administrative and employee endpoints.
* **Endpoint Security:** Implement EDR (Endpoint Detection and Response) to monitor for suspicious PowerShell activity and unauthorized file writes to the Startup folder.
* **Attachment Filtering:** Block or scrutinize incoming RAR files at the email gateway, particularly those containing LNK or HTA files.