EXECUTIVE SUMMARY
State-sponsored groups aligned with Russian intelligence, identified as Earth Dahu and the cluster known as SHADOW‑EARTH‑066, continue to run campaigns against Ukrainian government and defense‑related entities. The actors exploit a long‑standing flaw (CVE‑2025‑8088) in a popular archive utility that remains unpatched on many endpoints. By delivering malicious RAR files, they gain initial access and then deploy credential‑stealing and document‑exfiltration tools. Their primary objective is intelligence collection and theft of sensitive files, supporting broader geopolitical objectives. The campaigns have persisted for over a year, demonstrating the attackers’ willingness to reuse proven techniques.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
State-sponsored groups aligned with Russian intelligence, identified as Earth Dahu and the cluster known as SHADOW‑EARTH‑066, continue to run campaigns against Ukrainian government and defense‑related entities. The actors exploit a long‑standing flaw (CVE‑2025‑8088) in a popular archive utility that remains unpatched on many endpoints. By delivering malicious RAR files, they gain initial access and then deploy credential‑stealing and document‑exfiltration tools. Their primary objective is intelligence collection and theft of sensitive files, supporting broader geopolitical objectives. The campaigns have persisted for over a year, demonstrating the attackers’ willingness to reuse proven techniques.[emaillocker id="1283"]
The infection chain begins when a recipient opens a seemingly innocuous RAR archive attached to a phishing email. The archive displays a legitimate‑looking PDF, while hidden alternate‑data‑stream entries silently write a shortcut to the Startup folder and a PowerShell loader to a system directory. On the next login the shortcut launches PowerShell with execution‑policy bypass, which decodes an embedded DLL and loads it directly into memory using native system calls, avoiding typical user‑mode hooks. Once resident, the payload harvests browser credentials, copies documents matching dozens of extensions, and exfiltrates the data to encrypted command‑and‑control servers.
This threat is significant because the archive utility is rarely managed through enterprise patching, leaving thousands of workstations exposed long after a fix is released. The use of alternate‑data‑stream files and in‑memory DLL loading makes traditional file‑based detection unreliable, and the rapid self‑deletion of artifacts reduces the window for forensic evidence. Organizations should prioritize inventorying and updating the utility across all endpoints, enforce email gateway scanning for archive attachments, and monitor for unusual Startup shortcuts and PowerShell processes with bypass flags. Continuous backup, network traffic inspection, and enforcing multi‑factor authentication further mitigate the impact of credential theft.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1203 | Exploitation for Client Execution | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Defense Evasion | T1620 | Reflective Code Loading | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://www.trendmicro.com/en_us/research/26/f/old-winrar-flaw-fuels-attacks-on-ukraine.html