Key Takeaways

  • Shadow-Earth-066 and Earth Dahu are exploiting CVE-2025-8088 in active campaigns against Ukrainian military and government entities
  • Attackers use spear phishing and manipulated RAR archives to deploy GiftedCrook and espionage-focused malware
  • The campaigns highlight persistent patch gaps and reinforce guidance from NIST and other security frameworks

Russian-aligned threat activity has been persistent in Ukraine for years, but the continued exploitation of CVE-2025-8088 demonstrates how long a single vulnerability can remain valuable. Trend Micro's latest reporting reveals that Shadow-Earth-066, also known as UAC-0226, and Earth Dahu, also referred to as Gamaredon, continue to target an old WinRAR flaw that was patched in WinRAR 7.13 in July 2025. The flaw is a path traversal bug that enables malicious archives to write files outside the intended extraction location, providing an effective foothold for initial access.

WinRAR is deeply embedded in daily workflows across Ukrainian organizations, making it an attractive target for threat actors. Because the utility does not auto-update or natively integrate into enterprise patching tools like WSUS or Intune, administrators frequently lack visibility into outdated instances. This lack of centralized management creates an ongoing operational risk for organizations relying on legacy utilities.

Trend Micro's analysis aligns closely with research from the Ukrainian CERT and broader industry reporting. For example, the Verizon DBIR 2024 noted that roughly 14% of breaches involve vulnerabilities with available but unapplied patches. CVE-2025-8088 carries a high-severity rating, and its exploit path is straightforward. An attacker only needs a victim to open a manipulated archive, which then writes malicious LNK, HTA, or DLL files into locations like the Windows Startup folder using NTFS Alternate Data Streams.

The campaigns share similar initial access paths, though their payloads and follow-on actions diverge. Shadow-Earth-066 uses email lures crafted around Ukrainian government and military themes. The malicious archive plants a shortcut or payload in a Startup location, and the GiftedCrook information stealer executes when the device is next logged in. GiftedCrook rapidly extracts browser passwords, session cookies, and documents matching more than two dozen file extensions before deleting itself from the compromised system to complicate incident response.

Earth Dahu executes a multi-stage infection chain. The actor uses compromised government email accounts to deliver weaponized archives that appear legitimate. Once the archive is opened, the WinRAR flaw places an HTA file in a trusted Windows directory. This HTA executes a VBScript hosted on Cloudflare Workers infrastructure, which then fetches modules to support persistent surveillance. The infection chain reflects previous Gamaredon activity, utilizing CVE-2025-8088 as a new delivery mechanism for established espionage tactics.

Other Russia-aligned actors have also targeted this vulnerability. Google's Threat Intelligence Group reported exploitation attempts by Sandworm, Turla, and Void Rabisu earlier in the year. That finding matches what analysts at Gartner have discussed regarding attacker reuse of reliable exploits for initial access.

To defend against these campaigns, security teams across Ukraine rely heavily on EDR platforms like CrowdStrike and Microsoft Defender for Endpoint. These tools flag suspicious WinRAR extraction behavior or unexpected invocations of PowerShell and mshta.exe. The required defensive controls map closely to the access control and system integrity guidance found in NIST SP 800-53 Rev.5. Because these attacks span defined MITRE ATT&CK tactics such as initial access, persistence, and credential access, security operations centers have established behavioral patterns to hunt for.

Asset discovery remains a persistent challenge for vulnerability management. A security analyst at Secure.com noted that organizations frequently do not know where WinRAR is installed, creating a significant security blind spot. Continuous asset discovery paired with risk-based prioritization helps close this gap, as patching guidance is only effective when organizations can identify their vulnerable endpoints.

Independent analysts at IDC recommend alerting on any write activity involving the Windows Startup folder. Because known campaigns using CVE-2025-8088 rely on this persistence point, monitoring that location provides early detection signals. Additionally, security teams can scan, strip, or detonate inbound archive files at the mail gateway. If WinRAR is not essential, removing the application or enforcing strict allowlisting reduces the attack surface.

Legacy tools without automated update mechanisms frequently become long-term liabilities. Attackers track patch adoption rates closely, and as the Secure.com analyst noted, the barrier to weaponize this flaw is minimal. Groups like Shadow-Earth-066 and Earth Dahu have successfully evolved their payloads without needing to rework their initial entry points.

Asset visibility, mail filtering, behavioral monitoring, and a disciplined patch program collectively reduce this window of exposure. Managing this threat requires identifying and securing utility applications that operate outside centralized patch management to prevent attackers from exploiting known vulnerabilities.