Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
June 9, 2026, 9 a.m.
Description
Two Russia-aligned campaigns continue exploiting CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, against Ukrainian organizations through April 2026. SHADOW-EARTH-066 deploys an evolved GIFTEDCROOK information stealer using in-memory DLL loading via direct NT system calls, harvesting browser credentials, session cookies, and documents across 35 file extensions before self-deleting. Earth Dahu employs an HTA-based infection chain delivering espionage modules through Cloudflare Workers infrastructure. Both campaigns leverage the same CVE-2025-8088 exploit but use distinct tooling: SHADOW-EARTH-066 relies on compiled C++ with RC4-encrypted C&C communication, while Earth Dahu uses script-based approaches with Dynamic DNS. The persistent exploitation nearly a year post-patch demonstrates how unmanaged software lacking centralized update mechanisms creates enduring attack surfaces that threat actors deliberately target.
Tags
Date
- Created: June 8, 2026, 10:30 a.m.
- Published: June 8, 2026, 10:30 a.m.
- Modified: June 9, 2026, 9 a.m.
Indicators
- 507b2fcdae058cebbd550965b90c44e878d7a2463058c846eeb68f0dc1b48eda
- 378809699c7252dc38b31969b9cc40858397759f15d6e418246dfaba9088fdd1
- 3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25
- b01f31c9541579ad34f4e50acafec252eb419f5b1ca98155e0ec84c19d12c9e4
- 2a8ea9f1ad8936fb302243faa64b91c5767df411923715cbdb1a869e3bfd7e6d
- 5d164b6d74dae9fe3022bc3cf453cd8b846e9cdc0cd616246fe620be88e3f1e5
- d1d26b0f68e26ac591848796aeef7b9c766442bbff47af8823f9b23d1b588836
- ce78748acd8e9be741b143ad716d735dc682bd5a010427a199744b81456f8e35
- 7200a9f1e1ea51b66ab9c9274e9d8f805633179634e8ff4dcb8ef82bc02518df
- 22b07d2af98bb180474c33d93861124bbdf9b5dd7e42a8bddc654310469a9a2c
- bf338d88f60c0d352cd0d1b5e4bc6a1d9f1ac8fe1df48516ec0042cafda821e9
- 4e21c4c97aeb391473ee1e44961676f32de2ee8b56ecb136c1d8081df97c3db4
- 1c170b7470d507378ddb78e9d66305f1184e965baaf2d27ededb23a318a58953
- 44f6f7ba668fc645129d66353e6f60402822ae929ce54648cae0bba6348a18ea
- a717dd74c01fcfce35a28f374e1c6f9ded06d6f7b0cc04618ce9454ad64febb8
- 68bafc624a4c0d11ef7a949c0077c704aa5ba0a3205fe5b62d29b727b46ccfe4
- f668bd551859007cf2cc2a62bf0bf5414870a04e9782590c9bf85c849ddb308b
- 82fda6ea769d61aba230c3487787087cec53dd378e22f22a8fb8f0bd5ae83ded
- 276789b3b946753e9be482219bc4526da2da8772701f3b9d00c74038e2604ece
- 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59
- 8150b2b39fa62fa2de177ed8526c621a3581c0eb481dd9740fc5894ce2b7c13b
- f9d2907d6b1de3078a0f111cc98764a92baf5ebd06cc8ab02637a65eff3b7f3a
- e9d6938c9980cab735e8fb2eaa082ddc6f5dd7f2ff84d8ece01e8caaefdbb930
- e08dcb80346ded2bb2393a180e3f2612ed4c2ff0d3842390a5b527d003060212
- 77963398e2c5c2fdf9d28d9c5f9c2791cfbf422ba02225e01635dd7f5b31eff8
- 7d3ba419751e5ea52b567e1162f6a366bf3d06c44c8956a9f14520e9fb6ed0b1
- 718465f44c0680740fb61790eda3d2f4c5218c9de0c560299c580fa1602dc9c7
- 65c053030558b4a3588e2590c5c4961a9912180b731686deb3f4c831e765a095
- 023c8f8e2a71da2044e3f04ac74c8b3616f417436476cea85222f01119615979
- c2527a907b209bc4ce911e36b79781ec260f0851eeb466dbeb386d67fec11467
- 89d20418450b34efe698bd36214100cfa49f60adf1c39a8bc8d65991b1ce2c23
- e6bd725a2af981cd2b5c2217c1d7d906369d8daf48f02023fb73635f9e2b9659
- 37b42a83715f7a34e00d3458d4f4b6e53b8c95372677ce020a2e38e80e60ba87
- 2d9adb7932b7842dfb0e0f453b87e5d28dd4552094105e6340bad009956d8c2b
- 2a6ce2445c096fc5e577a0af513ba6f4fb8a8097764c7df81824a782e07e7f65
- 6083aac5376b7ca74cc363e0d66f70beaffee543d098c612b820b16fbfb0aa52
- dc5082b07eb994ddee343a4080dce0a9ec2e891e5690654e24ae74ba9eabe422
- 136.0.141.41
- 23.26.237.80
- 136.0.141.138
- 166.0.132.237
- 194.58.66.53
- 136.0.141.112
- 38.225.209.229
- 38.225.209.122
- 194.58.66.82
- https://166.0.132.237:7044/rcv/
- https://136.0.141.41:9580/rcv/
- https://136.0.141.138:8406/rcv/
- https://38.225.209.229:9623/rcv/
Additional Informations
- Defense
- Government
- joymobile.com.ua
- malicious.workers.dev
- astrocaf.com
- Ukraine