The modern threat landscape targeting Ukrainian organizations highlights a significant shift in threat actor methodology. While high-profile advanced persistent threats (APTs) traditionally relied on complex zero-day chains targeting core operating system kernels, contemporary campaigns show a heavy reliance on unmanaged utility applications. Since the escalation of regional cyber operations, veteran Russia-aligned intrusion sets—including Pawn Storm (APT28), Sandworm, Earth Koshchei (APT29), Turla, and Earth Dahu (Gamaredon)—have been joined by newly identified activity clusters. A defining feature across these groups is the rapid integration of public vulnerabilities found in ubiquitous secondary software. CVE-2025-8088, a critical path traversal vulnerability in the WinRAR archiving utility, serves as a prime example. Disclosed initially as a zero-day leveraged by Void Rabisu (ROMCOM) and subsequently adopted by Sandworm and Turla, this flaw continues to serve as an initial access vector for multiple distinct threat groups well into 2026, long after a formal patch was issued.
Deep Dive into CVE-2025-8088: Path Traversal via NTFS Alternate Data Streams
Evaluating CVE-2025-8088 reveals a sophisticated directory traversal flaw evaluated at a CVSS score of 8.4. Patched in WinRAR version 7.13, the flaw exists within the application’s processing of specific archival metadata structures. While structurally related to an earlier traversal vulnerability (CVE-2025-6218, resolved in version 7.12), CVE-2025-8088 targets an entirely separate code execution path by manipulating NTFS Alternate Data Streams (ADS). The NTFS file system natively allows files to possess multiple attached data streams containing metadata or alternative content layers. Within RAR5 format archives, developers can utilize SERVICE headers (specifically header type 0x03) containing an STMz marker to represent ADS configurations. Software versions prior to WinRAR 7.13 failed to sanitize input streams containing relative directory traversal sequences (..\..\) embedded directly inside these STMz entry names. Consequently, an attacker can construct an archive that displays a completely benign decoy document to the end-user while silently writing malicious payloads to arbitrary directories outside the intended extraction path.
SHADOW-EARTH-066 (UAC-0226): Strategic and Tactical Evolution
The threat group designated as SHADOW-EARTH-066 (tracked natively by CERT-UA under the identifier UAC-0226) demonstrates a rapid tactical evolution over a tight operational timeline. Initially documented in April 2025 targeting Ukrainian military innovation centers, frontline military formations, regional law enforcement agencies, and local self-government municipalities along the eastern border, the group’s early campaigns relied on traditional macro-enabled Excel sheets (.xlsm). These early documents dropped a basic .NET reverse shell alongside a C/C++ credential harvester known as GIFTEDCROOK, which extracted browser databases and zipped them via PowerShell before exfiltrating the contents to a hardcoded Telegram channel using plaintext bot tokens. However, data from active campaigns spanning up to April 2026 indicates a total overhaul of their attack pipeline. SHADOW-EARTH-066 has completely abandoned basic Excel macro droppers in favor of CVE-2025-8088 exploit chains, transitioning from simple Telegram exfiltration scripts to complex, in-memory dynamic-link library (DLL) loading structures communicating with a dedicated, encrypted command-and-control (C&C) infrastructure.
Deconstructing the SHADOW-EARTH-066 Attack Chain and Execution Mechanics
The execution architecture deployed by SHADOW-EARTH-066 leverages precise path traversal depths calculated to exploit typical email client extraction habits. When a target opens a crafted RAR archive, they are presented with a single visible decoy file (such as a spoofed judicial or defense ministry notification), but WinRAR simultaneously writes three distinct payloads to the filesystem without rendering a single user warning:
- 5 Levels Up: An execution shortcut file (
.lnk) dropped precisely into%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\(e.g., namedbfF3BxteabXqg.lnk). - 12 Levels Up: An obfuscated PowerShell script loader dropped directly to the root-adjacent directory
C:\ProgramData\(e.g., namedKKN). - 12 Levels Up: A SUB-encoded malicious binary payload dropped to
C:\ProgramData\(e.g., namedND8).
The execution chain remains dormant until the user next logs into the workstation, triggering the execution of the LNK file from the Windows Startup directory. The shortcut targets cmd.exe with structured arguments that initiate a double-nested PowerShell instance:cmd.exe /c start /min "" powershell -NoPr -Win Hidd -Ex Bypass -Com "powershell -NoPr -Ex Bypass -Com ""iex (gc 'C:\ProgramData\KKN' -raw)"""Both nested sessions use specific flags (-ExecutionPolicy Bypass and -WindowStyle Hidden) to suppress visual indicators and override local execution policies. The internal session ingests the raw script loader from C:\ProgramData\ via Invoke-Expression. To alter static command-line signatures, the threat actor randomizes the file reading alias between builds, shifting between gc, cat, and type. The script loader itself spans 65 to 74 KB and is heavily obfuscated with randomized English word pairings for function names (e.g., flexibility_denominator_wiretap()). It includes hundreds of junk comment lines and introduces fractional execution delays (e.g., Sleep 1.453) designed specifically to stall and exhaust automated endpoint sandbox analysis engines.
In-Memory Evasion and Evolved GIFTEDCROOK Malicious Architecture
To completely blind user-mode API hooking solutions and endpoint detection response (EDR) agents, the obfuscated PowerShell loader completely avoids standard high-level file APIs. Instead, it interacts directly with the kernel sub-layer by executing direct NT system calls. The script reads the SUB-encoded binary payload (ND8) from the disk and applies a mathematical decryption pass to each byte using a hardcoded key layout (such as key 0x38):
$$\text{decoded}[i] = (\text{encoded}[i] – \text{key}) \ \& \ 0\text{xFF}$$
Once decrypted, the loader executes NtAllocateVirtualMemory to provision an unbacked memory region inside the host powershell.exe process space. The unencrypted payload is written into this allocation via Marshal.Copy, and the memory permissions are transitionally hardened to executable states via NtProtectVirtualMemory. Finally, NtCreateThreadEx is called to launch a thread pointing directly to the payload’s entry point. Because the decrypted binary is never written to the disk filesystem, standard file-based threat scanning tools fail to inspect the executing agent.
The payload, an evolved iteration of the GIFTEDCROOK info-stealer compiled as a custom x86-64 DLL internally named result.dll, carries distinct architectural fingerprints across distinct compilation builds. These include an export designated simply as Func, a highly unusual, non-standard Portable Executable (PE) offset header layout (e_lfanew = 0x110), and a statically linked copy of libcurl 8.14.0-DEV.
Target Data Acquisition: Scraping Browsers, ABE Evasion, and Document Harvesting
The primary mission of result.dll is rapid data harvesting. The malware is pre-programmed to scrape user data profiles across prominent Chromium-based web browsers and Firefox installations:
| Browser Family | Targeted User Profile Directories |
| Google Chrome | %LOCALAPPDATA%\Google\Chrome\User Data |
| Microsoft Edge | %LOCALAPPDATA%\Microsoft\Edge\User Data |
| Opera | %APPDATA%\Opera Software\Opera Stable |
| Mozilla Firefox | %APPDATA%\Mozilla\Firefox\Profiles |
For Chromium environments, the malware reads the Local State JSON structure and calls the Data Protection API (DPAPI) routine CryptUnprotectData to isolate and decrypt the browser’s master key. It then extracts all saved database records inside the Login Data and Cookies files. Notably, result.dll actively isolates the app_bound_encrypted_key sequence introduced in modern Chrome installations (Chrome 127 and newer). App-Bound Encryption (ABE) was engineered by browser developers to lock credential decryption strictly to the legitimate application context to break info-stealers; the inclusion of an ABE circumvention routine inside result.dll indicates that the malware authors are actively tracking modern enterprise platform updates. For Firefox targets, the stealer parses the NSS key databases (key3.db and key4.db) alongside local cookies.sqlite stores.
Simultaneously, result.dll runs recursive file system search loops across the target’s %USERPROFILE%\Documents, %USERPROFILE%\Downloads, and local %TEMP% directories. It actively checks files against an extension dictionary containing 35 specific rules across several categories:
- Documents:
.txt,.doc,.docx,.docm,.rtf,.dot,.dotx,.dotm,.odt,.pdf,.md,.log - Spreadsheets:
.xls,.xlsx,.xlsm,.xlt,.xltx,.xltm,.csv - Presentations:
.ppt,.pptx,.pptm,.pps,.ppsx,.pot - Email:
.eml - Archives:
.rar,.zip,.7z,.cab,.gzip,.tar - Sensitive Configurations:
.kdbx(KeePass Master Databases),.ovpn(OpenVPN Connection Profiles),.conf
Once compiled, data payloads are encrypted via a dual-layer technique using static RC4 encryption keys before being piped over HTTPS via the embedded libcurl engine. The destinations are dedicated, IP-based command-and-control servers operating on atypical ports (e.g., 166.0.132.237:7044, 136.0.141.41:9580, and 136.0.141.138:8406). As soon as transmission verification is complete, the malware initiates a self-deletion routine that wipes the initial LNK file from the Startup directory and deletes both staging files from C:\ProgramData\, completely minimizing its post-incident forensics footprint.
Earth Dahu (Gamaredon): The Script-Based Alternative Espionage Pipeline
Running concurrently to the SHADOW-EARTH-066 binary campaign is an entirely separate operation conducted by Earth Dahu (Gamaredon), targeting overlapping victim profiles using the exact same entry point (CVE-2025-8088). Despite utilizing the same initial vulnerability, Earth Dahu employs a completely different post-exploitation chain rooted in script-based frameworks rather than compiled binaries. Their archives deploy an HTML Application (.hta) attack pipeline. Upon extraction, the HTA engine spawns highly obfuscated VBScript sequences that drop persistent backdoor modules and, in select instances documented by researchers, specialized wiper routines.
Earth Dahu’s infrastructure relies on Dynamic DNS configurations proxying requests through Cloudflare Workers. To bypass user inspection and deceive targets looking at active connections, their embedded HTA code routinely leverages HTTP Basic Authentication @-notation syntax within command URLs. A connection string structured as:
hxxps://ssu[.]gov[.]ua@malicious[.]workers[.]dev/pathtricks standard URL parsing views into displaying the legitimate domain of the Security Service of Ukraine (ssu.gov.ua) to the left of the symbol, while routing the actual background request directly to the threat actor’s infrastructure on workers.dev. Earth Dahu frequently spoofs prominent entities to maintain operational cover, including:
- State Frameworks:
president.gov.ua,rnbo.gov.ua,mil.gov.ua - National News Infrastructure:
nv.ua,tsn.ua,www.unian.net,censor.net - International Media Channels:
www.bbc.com,www.dw.com,www.rbc.ru
In their latest operational builds, Earth Dahu modified their TTPs by appending a secondary folder escape sequence (Startup\..\Startup\) inside the archive’s ADS traversal string. While the target folder path remains identical, this structural alteration successfully circumvents static detection filters looking for simple, single-pass relative path traversal rules.
Spear-Phishing Dissemination and Compromised Infrastructures
Analysis of emails sent from December 2025 through April 2026 reveals that both threat actors use sophisticated spear-phishing distribution strategies. Instead of using newly provisioned external mail servers, the majority of the malicious emails originate directly from compromised email accounts belonging to legitimate Ukrainian government agencies, regional administrative bodies, and legal systems. In one notable compromise cluster, four separate accounts belonging to a single regional government Microsoft Exchange server were observed transmitting phishing lures simultaneously. All four mailboxes shared an identical internal originating IP address, confirming that threat actors had compromised an internal workstation and were using it to distribute emails across multiple internal profiles.
To minimize external tracking, the phishing emails use a self-addressed BCC (Blind Carbon Copy) distribution model where the From and To headers contain identical email strings, masking the actual target list. The email subject lines consistently reference urgent legal matters, such as property seizure orders, court summonses, or execution writs. Malicious attachments are uniformly formatted using standard naming conventions:
$$\text{\{DocType\}}\_\text{\{N\}}\_\text{\{N\}}\_\text{\{N\}}\_\text{\{N\}}\_\text{\{dd.mm.yyyy\}}.rar$$
Where {DocType} represents a legal document category and {N} indicates randomized numerical strings. In addition to compromised government mail servers, attackers have used spoofed domains. For example, the domain astrocaf[.]com (registered via reg.ru and resolving to IP 194.58.66.82 under Baxet Group Inc.) was used to send spoofed law enforcement notifications, while separate campaigns routed phishing streams through mail[.]c1[.]com[.]ua (IP 5[.]9[.]241[.]27 hosted via Hetzner).
Enterprise Remediation, Threat Hunting, and Gateway Defensive Strategies
The primary reason CVE-2025-8088 remains effective is that WinRAR lacks a native background auto-update engine and does not support Group Policy Object (GPO) templates. Consequently, standard enterprise patch deployment suites like Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), or Microsoft Intune fail to discover or update standalone WinRAR installations unless explicitly configured with custom third-party software deployment packages. Closing this security gap requires security teams to inventory and manually update all endpoint installations to WinRAR 7.13 or newer.
To identify active or historic compromises, threat hunting teams should search endpoints for short alphanumeric staging files within C:\ProgramData\, specifically looking for filenames such as KKN, ND8, U0U, YDV, NdV, QB5k, uaP, WnX, wq_, Arj, and O5fE. Network defenders should monitor for persistent outbound connections over atypical ports to the following known C&C IP addresses:
23.26.237[.]8038.225.209[.]12238.225.209[.]229136.0.141[.]41136.0.141[.]112136.0.141[.]138166.0.132[.]237
Because the GIFTEDCROOK malware executes an automated cleanup script upon completing data exfiltration, file-based artifacts may only exist on an infected system during the brief window between the archive’s initial extraction and the user’s next login. Therefore, threat hunting strategies should place a higher priority on detecting behavioral anomalies, such as cmd.exe launching nested powershell.exe sessions from a Startup folder context. Security teams should also monitor kernel-level telemetry via Event Tracing for Windows (ETW) Threat Intelligence provider callbacks to detect direct virtual memory allocations (NtAllocateVirtualMemory) initiated by PowerShell scripts, which indicates user-mode API hook evasion. At the perimeter, email security gateways should be configured to quarantine incoming RAR archives containing SERVICE headers with STMz markers to block malicious Alternate Data Streams before they reach the endpoint.
Our Opinion: The Threat of Legacy Tooling in Modern Cyber Warfare
The strategic resilience of CVE-2025-8088 underscores a fundamental, systemic flaw in modern corporate security architecture: the unmanaged lifecycle of legacy enterprise utilities. While organizations channel massive capital into securing cloud infrastructures and patching primary operating systems, basic utility applications like WinRAR operate outside centralized update frameworks like WSUS or Microsoft Intune. This creates an unmonitored baseline environment where high-severity path traversal flaws remain exploitable years after patch availability.
The fact that threat groups as structurally diverse as Earth Dahu and SHADOW-EARTH-066 can rely on the same entry point to deploy completely distinct payloads highlights the predictability of threat actor methodology—they optimize for the path of least resistance. In the context of the cyber conflict in Ukraine, the ongoing viability of this flaw proves that exploitation capability is rarely bottlenecked by the availability of sophisticated zero-days; rather, it is sustained by operational friction in vulnerability management on the victim’s end. Moving forward, defender frameworks must evolve to treat compression tools, archive viewers, and media players as tier-one endpoint exposure risks. Failure to integrate these ubiquitous utilities into automated, enforcement-driven patch management strategies renders peripheral defenses entirely performative.
| MITRE ATT&CK Mapping | |||
|---|---|---|---|
| Tactic | Technique | ID | Campaign |
| Initial Access | Spearphishing Attachment | T1566.001 | Earth Dahu |
| Execution | User Execution: Malicious File | T1204.002 | Both |
| Execution | PowerShell | T1059.001 | SHADOW-EARTH-066 |
| Persistence | Startup Folder | T1547.001 | Earth Dahu |
| Defense Evasion | NTFS File Attributes | T1564.004 | Both |
| Defense Evasion | Obfuscated Files or Information | T1027 | SHADOW-EARTH-066 |
| Defense Evasion | Reflective Code Loading | T1620 | SHADOW-EARTH-066 |
| Defense Evasion | Masquerading | T1036 | Both |
| Defense Evasion | Sandbox Evasion | T1497 | SHADOW-EARTH-066 |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | SHADOW-EARTH-066 |
| Credential Access | Web Browser Credentials | T1555.003 | SHADOW-EARTH-066 |
| Credential Access | Steal Web Session Cookie | T1539 | SHADOW-EARTH-066 |
| Collection | Data from Local System | T1005 | SHADOW-EARTH-066 |
| Exfiltration | Exfiltration Over C&C Channel | T1041 | SHADOW-EARTH-066 |
| C&C | Web Protocols | T1071.001 | Both |
| C&C | Encrypted Channel | T1573.001 | SHADOW-EARTH-066 |
| Impact | Data Destruction | T1485 | Earth Dahu (reported by ClearSky) |
