2026-06-08 Old WinRAR Flaw Fuels Attacks on Ukraine How Unmanaged Software Keeps the Door Open

📃Title: Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
📅Date: 2026-06-08
🔗References:

• https://www.trendmicro.com/en_us/research/26/f/old-winrar-flaw-fuels-attacks-on-ukraine.html

Description

Two Russia-aligned campaigns continue exploiting CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, against Ukrainian organizations through April 2026. SHADOW-EARTH-066 deploys an evolved GIFTEDCROOK information stealer using in-memory DLL loading via direct NT system calls, harvesting browser credentials, session cookies, and documents across 35 file extensions before self-deleting. Earth Dahu employs an HTA-based infection chain delivering espionage modules through Cloudflare Workers infrastructure. Both campaigns leverage the same CVE-2025-8088 exploit but use distinct tooling: SHADOW-EARTH-066 relies on compiled C++ with RC4-encrypted C&C communication, while Earth Dahu uses script-based approaches with Dynamic DNS. The persistent exploitation nearly a year post-patch demonstrates how unmanaged software lacking centralized update mechanisms creates enduring attack surfaces that threat actors deliberately target.

Threat Actor

SHADOW-EARTH-066

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• topic: geopolitical
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer= Trend-Micro
• target-information=“Ukraine”
• malpedia=“GIFTEDCROOK”
• mitre-attack-pattern=[‘T1539’, ‘T1204.002’, ‘T1573.001’, ‘T1566.001’, ‘T1005’, ‘T1036’, ‘T1555.003’, ‘T1497’, ‘T1041’, ‘T1059.001’, ‘T1547.001’, ‘T1027’, ‘T1485’, ‘T1070.004’, ‘T1071.001’, ‘T1564.004’, ‘T1620’]

MISP event uuid: 19d42e7a-969a-4f87-8931-af8fecb5aa8b

Indicator of Compromise (IoCs)

type,value,comment
md5, c0b73ff43312d442260328a8cefdf3b6, ''
md5, 2af0a6135df3502a7f6de4d2de6db73b, 'IOC-title:ALF:AGGR:LinkifierA:95!ml'
md5, 5d462d0f3704d7db1b1d8c2cdcb19033, ''
md5, 587a464ffc174288d3f66d1845133229, ''
md5, c1d02459038d86dcc96c0a721724a3a0, ''
md5, c17e8387f2718a55948c7d8d45ee8100, ''
md5, addf25d1f994729f2d3cbb3d0ab49897, ''
md5, 6e99ea85251d4def4eccb32dd4c10c18, ''
md5, 8aa796cf85858d9113aac294ca0bdd96, ''
md5, 454ea7aa75d57543bd36131d7f2dd7ff, ''
md5, 014623f6f39501eb1afc07f608036e3a, ''
md5, 31bc8b17da2ba7a94335e8c29391368a, ''
md5, d2cf055f564664cc761287628d24953b, ''
md5, 8ca36b9cbd72d1f4ab4a9c8fcf85fe7e, ''
md5, dcdeba12bdfc3a0dce97b2f2ce60789a, ''
md5, f819578d740cec4708e1b96eae967515, ''
md5, a1cce40d02e350e96cd7dc20d4d9f5c2, ''
md5, be9ed70483a0820810b937358a52b24e, ''
md5, 082b9caaa287ba26c26387e6489c93d4, ''
md5, 4082096ec0b8f723a79a224a6b6d37cd, ''
md5, ea610ea6a8d69cb1e93fb79d4a8fa26f, ''
md5, 6a48fbe91482b2f14ed977c110a3685c, 'IOC-title:invalid_trailer_structure\nIOC-description:MD5 of 5d164b6d74dae9fe3022bc3cf453cd8b846e9cdc0cd616246fe620be88e3f1e5'
md5, c07f91e052bcb508353ad74c54bc1c96, ''
md5, 3699542ba04458e84dc9148a2234fe61, ''
md5, b3c86e81b330157519b9e188a1f9fbf3, ''
md5, ab7121d9dfa5d075498eb5a5904f1a0b, ''
md5, f68943c9f94af947e5bef95fa889de6a, ''
md5, c06ef1a6be8b92cbc3eb710a7cfe83d7, ''
domain, astrocaf.com, 'Earth Dahu: Attacker-controlled email sending domain'
ip-dst, 166.0.132.237, 'IOC-description:CC=US ASN=AS61317 digital energy technologies ltd.'
ip-dst, 38.225.209.229, 'SHADOW-EARTH-066: C&C server (port 9623)'
ip-dst, 23.26.237.80, 'SHADOW-EARTH-066: Potential C&C server (port 8941)'
ip-dst, 136.0.141.138, 'SHADOW-EARTH-066: C&C server (port 8406)'
url, https://136.0.141.138:8406/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
ip-dst, 194.58.66.82, 'Earth Dahu: IP associated with astrocaf[.]com'
ip-dst, 136.0.141.112, 'IOC-description:CC=US ASN=AS18779 egihosting'
ip-dst, 136.0.141.41, 'SHADOW-EARTH-066: C&C server (port 9580)'
ip-dst, 38.225.209.122, 'SHADOW-EARTH-066: Potential C&C server (port 8009)'
domain, joymobile.com.ua, ''
md5, a84375d4bd67c46d50fef7f7af31c7fb, 'IOC-description:MD5 of 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59 No sample in VT\r\nLast check:13/06/2026'
sha1, 526833a16669a85f0546809bfc35122e6f0bc17b, 'IOC-description:SHA1 of 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59 No sample in VT\r\nLast check:13/06/2026'
sha256, 2d9adb7932b7842dfb0e0f453b87e5d28dd4552094105e6340bad009956d8c2b, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 378809699c7252dc38b31969b9cc40858397759f15d6e418246dfaba9088fdd1, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 4e21c4c97aeb391473ee1e44961676f32de2ee8b56ecb136c1d8081df97c3db4, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 77963398e2c5c2fdf9d28d9c5f9c2791cfbf422ba02225e01635dd7f5b31eff8, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 7d3ba419751e5ea52b567e1162f6a366bf3d06c44c8956a9f14520e9fb6ed0b1, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 82fda6ea769d61aba230c3487787087cec53dd378e22f22a8fb8f0bd5ae83ded, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 89d20418450b34efe698bd36214100cfa49f60adf1c39a8bc8d65991b1ce2c23, 'No sample in VT\r\nLast check:13/06/2026'
sha256, dc5082b07eb994ddee343a4080dce0a9ec2e891e5690654e24ae74ba9eabe422, 'No sample in VT\r\nLast check:13/06/2026'
ip-dst, 194.58.66.53, 'Earth Dahu: IP associated with astrocaf[.]com'
url, https://136.0.141.41:9580/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
url, https://166.0.132.237:7044/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
url, https://38.225.209.229:9623/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
email-src, vodafonenovic33@joymobile.com.ua, ''

Full IOCs available in Rectifyq’s MISP