Earth Entries alive and kicking

Oct. 28, 2025, 10 a.m.

Description

Earth Estries, a China-nexus APT actor, has launched a new campaign exploiting a recent WinRAR vulnerability. The attack chain involves multiple stages, including the use of encrypted stubs, hijacked DLLs, and fake PDFs with ADS streams. The group, known for using implants like Snappybee and ShadowPad, ultimately executes shellcode through this sophisticated process. The blog post provides detailed indicators of compromise, including file hashes, filenames, and network indicators. Associated Yara rules are available on the author's GitHub repository. This campaign demonstrates Earth Estries' continued activity and evolution in their tactics, techniques, and procedures.

External References

https://bartblaze.blogspot.com/2025/10/earth-estries-alive-and-kicking.html
https://otx.alienvault.com/pulse/690032a10721de5f05a42a01
Tags
shadowpad
winrar
snappybee
CVE-2025-8088
2025-10-28

Date

  • Created: Oct. 28, 2025, 3:04 a.m.
  • Published: Oct. 28, 2025, 3:04 a.m.
  • Modified: Oct. 28, 2025, 10 a.m.

Indicators

  • f8c119bfc057dc027e6c54b966d168ee1ef38c790e581fb44cf965ca0408db1d
  • 94aa6619c61d434e96ca8d128731eb7ee81e399a59a17f751a31b564a7f3a722
  • 6c6af015e0bfec69f7867f8c957958aa25a13443df1de26fa88d56a240bdd5ad
  • 64ca55137ba9fc5d005304bea5adf804b045ec10c940f6c633ffde43bc36ff3f
  • 5e062fee5b8ff41b7dd0824f0b93467359ad849ecf47312e62c9501b4096ccda
  • 3c84a5255e0c08e96278dea9021e52c276b4a6c73af9fa81520aefb4a8040a8b
  • 3b47df790abb4eb3ac570b50bf96bb1943d4b46851430ebf3fc36f645061491b
  • 3822207529127eb7bdf2abc41073f6bbe4cd6e9b95d78b6d7dd04f42d643d2c3
  • 38.54.105.114
  • mimosa.gleeze.com
Download all indicators here!

Attack Patterns

  • Snappybee
  • POISONPLUG.SHADOW
  • ShadowPad - S0596
  • Earth Estries

Linked vulnerabilities

CVE-2025-8088

None
Published: