Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
We track the binary payload chain (CVE-2025-8088 to LNK to PowerShell to result.dll) under SHADOW-EARTH-066, our temporary designation for the intrusion set that CERT-UA tracks as UAC-0226.
The attribution to UAC-0226 is based on the malware lineage. Our analysis confirms that result.dll is a direct evolution of GIFTEDCROOK, the stealer that CERT-UA attributed to UAC-0226 in April 2025. The two share the same compiler toolchain, cryptographic framework, anti-analysis checks, and exfiltration protocol, as detailed in the evolution comparison above.
Timestamp analysis provides an additional attribution data point. All LNK files share the same creation timestamp and builder machine identifier (desktop-hagd25b), confirming a single build environment. The PE compile timestamps of four distinct DLL builds (February 3, February 17, March 16, and April 9, 2026) cluster between 06:33 and 11:32 UTC. RAR archive timestamps for the packaged decoy PDFs independently corroborate these build sessions, aligning within seconds of the corresponding PE compile times.
Mapped to UTC+3 (Moscow time), these correspond to 09:33–14:32 local time. All six build events fall on weekdays. While these timestamps can be manipulated, the consistent weekday pattern across multiple sources and the alignment with UTC+3 working hours suggest an operator based near that time zone.
We attribute the HTA-based infection chain to Earth Dahu (Gamaredon) with high confidence. This assessment is based on:
- Direct continuity: The HTA chain is a continuation of the campaign we reported in the APT Research Report (which is available to subscribers of the Trend Vision One™ Threat Intelligence Hub). The exploitation method, post-exploitation chain (HTA to VBScript to espionage modules), and C&C infrastructure pattern (Dynamic DNS with Cloudflare Workers) are identical.
- TTP consistency: The spear-phishing delivery TTPs match established Earth Dahu patterns, including compromising government email accounts, BCC self-addressed distribution, and C&C proxying through Cloudflare Workers.
- Victimology: Exclusive targeting of Ukrainian government and military entities is consistent with Earth Dahu’s documented operational mandate.
The two campaigns examined in this report share the same initial exploit (CVE-2025-8088) and overlapping victimology, but the post-exploitation chains are fundamentally different:
- SHADOW-EARTH-066 communicates with direct IP-based C&C servers and delivers a compiled x86-64 DLL with PEB-walk API resolution and RC4-encrypted strings. Earth Dahu uses Cloudflare Workers as a C&C proxy and relies on script-based tooling (HTA, VBScript, PowerShell).
- No shared infrastructure has been identified between the two campaigns.
The tooling reflects different development traditions: the GIFTEDCROOK family is a compiled C++ codebase with statically linked libcurl. Earth Dahu has historically favored script-based approaches.
Despite CVE-2025-8088 was patched in WinRAR 7.13 in July 2025, yet at the time of writing, multiple threat actor groups continued to build new exploit samples with fresh lure documents and use this vulnerability as a reliable initial access vector against Ukrainian organizations.
SHADOW-EARTH-066 uses it to deploy an evolved information stealer, while Earth Dahu uses it to deliver espionage tools. Russia-aligned threat actors, including Sandworm, Turla, and Void Rabisu, have also been reported exploiting the same vulnerability.
The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability reflects the scale of the cyber threats that Ukraine faces. Since the full-scale invasion in 2022, the number of intrusion sets conducting operations against Ukrainian government and military networks has grown steadily, and credentials and documents stolen in these campaigns will not stay contained. Compromised accounts in military and government organizations may create downstream risks for allied nations and partners in their contact networks.
The vulnerability works because WinRAR remains unpatched on enough endpoints to make the investment worthwhile. WinRAR does not auto-update, does not support Group Policy, and falls outside enterprise patch channels like WSUS, SCCM, or Intune. Verifying patch status across hundreds of endpoints requires third-party tools or manual auditing.
SHADOW-EARTH-066 and Earth Dahu use different tooling and infrastructure, a compiled C++ stealer chain on one side, a script-based espionage framework on the other; but both relied on the same unpatched entry point.
This problem is not unique to WinRAR, to Ukraine, or to these threat actors. Many utility applications, archiving tools, and file viewers share the same traits: widely installed, infrequently updated, and difficult to manage at enterprise scale. They accumulate known vulnerabilities over time, and threat actors deliberately look for them. CVE-2018-20250, a WinRAR vulnerability from 2018, was still being exploited in targeted attacks years after its disclosure. CVE-2025-8088 appears to be following the same pattern — and when threat actors find a vulnerability that works, they will keep using it until it stops working.
Tracking and patching these applications is not optional. It is a basic requirement for reducing the attack surface that threat actors rely on.
About Author
