Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
Multiple Russia-aligned threat actors, including SHADOW-EARTH-066 and Earth Dahu, are actively exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The attackers use crafted RAR archives with NTFS Alternate Data Streams to silently drop malicious payloads, such as the evolved GIFTEDCROOK infostealer or HTA-based espionage tools, into the Windows Startup folder and ProgramData directories.
- cve
- cve
- cve
- domainastrocaf[.]comAttacker-controlled domain used for spear-phishing
- domainjoymobile[.]com[.]uaDomain used in spear-phishing Return-Path
- domainmail[.]c1[.]com[.]uaMail server domain used in spear-phishing routing
- emailvodafonenovic33[@]joymobile[.]com[.]uaReturn-Path email used in spear-phishing
- filenamebfF3BxteabXqg.lnkMalicious LNK file dropped to Startup folder
- filenameresult.dllEvolved GIFTEDCROOK infostealer payload
- ip136[.]0[.]141[.]112SHADOW-EARTH-066 C&C server
- ip136[.]0[.]141[.]138SHADOW-EARTH-066 C&C server
- ip136[.]0[.]141[.]41SHADOW-EARTH-066 C&C server
- ip166[.]0[.]132[.]237SHADOW-EARTH-066 C&C server
- ip194[.]58[.]66[.]82IP resolving to attacker domain astrocaf.com
- ip23[.]26[.]237[.]80SHADOW-EARTH-066 C&C server
- ip38[.]225[.]209[.]122SHADOW-EARTH-066 C&C server
- ip38[.]225[.]209[.]229SHADOW-EARTH-066 C&C server
- ip5[.]9[.]241[.]27IP for mail.c1.com.ua used in spear-phishing routing
- sha2563d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25Malicious RAR archive exploiting CVE-2025-8088
Detection / HunterGoogle
What Happened
Cybercriminals linked to Russia are using a known flaw in the popular file archiving tool WinRAR to attack Ukrainian government and military organizations. When victims open a specially crafted RAR file, it silently installs malicious software in the background while displaying a harmless-looking document. This allows the attackers to steal sensitive passwords, documents, and other data. Because WinRAR does not update automatically, many computers remain vulnerable even though a fix is available. Organizations should immediately update WinRAR to the latest version and monitor their systems for signs of compromise.
Key Takeaways
- CVE-2025-8088, a WinRAR path traversal vulnerability, is actively exploited by Russia-aligned groups like SHADOW-EARTH-066 and Earth Dahu against Ukrainian targets.
- SHADOW-EARTH-066 deploys an evolved version of the GIFTEDCROOK infostealer (result.dll) using in-memory DLL loading and direct NT syscalls.
- Earth Dahu utilizes the same WinRAR flaw to drop HTA files that execute VBScript via Cloudflare Workers to deliver espionage modules.
- The vulnerability leverages NTFS Alternate Data Streams (ADS) to silently write files outside the extraction directory while displaying a decoy document.
Affected Systems
- WinRAR versions prior to 7.13
- Windows OS
Vulnerabilities (CVEs)
- CVE-2025-8088
- CVE-2025-6218
- CVE-2018-20250
Attack Chain
The attack begins with a spear-phishing email containing a crafted RAR archive exploiting CVE-2025-8088. When opened, WinRAR displays a decoy PDF while silently using NTFS Alternate Data Streams to drop an LNK file into the Startup folder and encrypted payloads into C:\ProgramData. Upon system reboot, the LNK executes a nested PowerShell command that decodes and reflectively loads a DLL (result.dll) into memory using direct NT syscalls. The DLL, an evolved version of GIFTEDCROOK, harvests browser credentials and documents, exfiltrates them to a C&C server via HTTPS, and then deletes its staging artifacts.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides behavioral indicators and file paths for hunting, but does not include explicit detection rules.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions with kernel-level telemetry can detect direct NT system calls used for memory allocation, as well as process creation events like cmd.exe spawning PowerShell from the Startup folder. Network Visibility: Medium — Network monitoring can detect connections to known C&C IPs and specific User-Agent strings (libcurl/8.14.0-DEV), though the traffic is HTTPS encrypted. Detection Difficulty: Moderate — The use of in-memory DLL loading via direct NT syscalls bypasses user-mode API hooks, requiring kernel-level telemetry. Additionally, the self-deletion of staging files reduces forensic artifacts.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- File Creation (Sysmon Event ID 11)
- Network Connections (Sysmon Event ID 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for LNK or HTA files created in the Windows Startup folder by the WinRAR process. | File Creation logs (Sysmon Event ID 11) | Persistence | Low |
| Consider hunting for cmd.exe launching PowerShell with -ExecutionPolicy Bypass and -WindowStyle Hidden, especially when reading files from C:\ProgramData. | Process Creation logs (Event ID 4688 / Sysmon Event ID 1) | Execution | Medium |
| Consider hunting for HTTP/HTTPS traffic utilizing the User-Agent 'libcurl/8.14.0-DEV'. | Network traffic logs / Proxy logs | Command and Control | Low |
Control Gaps
- Lack of centralized patch management for third-party utilities like WinRAR
- User-mode API hooking limitations against direct NT syscalls
Key Behavioral Indicators
- cmd.exe spawning nested PowerShell instances
- PowerShell processes allocating executable memory via direct NT syscalls
- mshta.exe execution originating from the Startup folder
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider deploying the latest version of WinRAR (7.13 or newer) across all endpoints using software distribution tools.
- Evaluate blocking the identified SHADOW-EARTH-066 C&C IP addresses at the network perimeter.
- If a compromise is suspected, consider forcing password resets for accounts with saved browser credentials and invalidating active web sessions.
Infrastructure Hardening
- Consider implementing email gateway controls to block or quarantine RAR archives, or inspect them for malicious ADS entries (STMz markers).
- Evaluate integrating third-party applications like WinRAR into centralized patch management workflows.
User Protection
- Consider enabling MFA on all critical accounts to mitigate the impact of stolen credentials.
- If your EDR supports it, ensure kernel-level telemetry is enabled to detect in-memory loading techniques that bypass user-mode hooks.
Security Awareness
- Consider training users to be cautious of unexpected archive files, even if they appear to contain benign documents like PDFs.
MITRE ATT&CK Mapping
- T1566.001 - Spearphishing Attachment
- T1204.002 - User Execution: Malicious File
- T1059.001 - PowerShell
- T1547.001 - Registry Run Keys / Startup Folder
- T1564.004 - NTFS File Attributes
- T1027 - Obfuscated Files or Information
- T1620 - Reflective Code Loading
- T1036 - Masquerading
- T1497 - Sandbox Evasion
- T1070.004 - Indicator Removal: File Deletion
- T1555.003 - Credentials from Web Browsers
- T1539 - Steal Web Session Cookie
- T1005 - Data from Local System
- T1041 - Exfiltration Over C2 Channel
- T1071.001 - Web Protocols
- T1573.001 - Symmetric Cryptography
Additional IOCs
- Ips:
136[.]0[.]141[.]138- SHADOW-EARTH-066 C&C server136[.]0[.]141[.]112- SHADOW-EARTH-066 C&C server38[.]225[.]209[.]122- SHADOW-EARTH-066 C&C server23[.]26[.]237[.]80- SHADOW-EARTH-066 C&C server194[.]58[.]66[.]82- IP resolving to attacker domain astrocaf.com5[.]9[.]241[.]27- IP for mail.c1.com.ua used in spear-phishing routing
- Domains:
joymobile[.]com[.]ua- Domain used in spear-phishing Return-Pathmail[.]c1[.]com[.]ua- Mail server domain used in spear-phishing routing
- File Paths:
C:\ProgramData\KKN- PowerShell loader script dropped by RAR archiveC:\ProgramData\ND8- SUB-encoded DLL payload dropped by RAR archive
- Command Lines:
- Purpose: Executes nested PowerShell to load script from ProgramData | Tools:
cmd.exe,powershell.exe| Stage: Execution - Purpose: Self-deletion command used by result.dll to remove staging artifacts | Tools:
cmd.exe| Stage: Defense Evasion |cmd.exe /c "timeout /t 5 & del "
- Purpose: Executes nested PowerShell to load script from ProgramData | Tools:
- Other:
KKN- Filename dropped to ProgramDataND8- Filename dropped to ProgramDataU0U- Filename dropped to ProgramDataYDV- Filename dropped to ProgramDataNdV- Filename dropped to ProgramDataQB5k- Filename dropped to ProgramDatauaP- Filename dropped to ProgramDataWnX- Filename dropped to ProgramDatawq_- Filename dropped to ProgramDataArj- Filename dropped to ProgramDataO5fE- Filename dropped to ProgramData
