Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations

Campaign
First reported
Last updated
Happening score
H score 57
1 unique sources, 1 articles

Summary

Hide ▲

The Earth Dahu and SHADOW-EARTH-066 campaigns are still exploiting CVE-2025-8088 in WinRAR against Ukrainian organisations, extending exposure nearly a year after the patch and enabling stealer and espionage payloads. One chain uses crafted RAR archives with hidden ADS payloads, a Startup-folder LNK, and a PowerShell loader to launch GIFTEDCROOK and exfiltrate credentials and documents. The other chain uses an HTA-to-VBScript sequence to deliver GammaPhish, GammaLoad, and GammaSteel, showing sustained access and a shift to dedicated C2 infrastructure.

Cases

Gamaredon and UAC-0226 WinRAR exploitation in Ukrainian organizations (2)

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

How related: These attacks, as recently also documented by Sekoia last week, lead to the deployment of GammaPhish, an HTML Application (HTA), which is then used to retrieve a VBScript downloader named GammaLoad.

About this happening: A **Gamaredon**-linked malware activity is using **WinRAR CVE-2025-8088** to deliver staged payloads, including **GammaPhish**, **GammaLoad**, and **GammaSteel**, against **Ukrain...

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
H score48 First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
H score52 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

How related: Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.

About this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...

Open Happening

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
H score54 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

How related: It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS).

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...

Open Happening

Timeline

  1. 09.06.2026 15:26 1 articles · 3d ago

    Earth Dahu exploitation chain remains active on April 10, 2026

    Exploitation Observed

    Earth Dahu used CVE-2025-8088 in an HTA-to-VBScript infection chain that delivered espionage modules against Ukrainian organisations, and Trend Micro says RAR internal file timestamps and file naming conventions show the chain remained active through at least April 10, 2026.

    Show sources
    Open in new tab
  2. 09.06.2026 15:26 2 articles · 3d ago

    Trend Micro attributes WinRAR exploitation to Earth Dahu and SHADOW-EARTH-066

    Initial Disclosure

    Trend Micro attributes the WinRAR exploitation against Ukrainian organisations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), saying both groups weaponized CVE-2025-8088 after WinRAR patched it in July 2025. SHADOW-EARTH-066 used crafted RAR archives with hidden ADS payloads, a Startup-folder LNK, a PowerShell loader via cmd.exe, and in-memory DLL loading to launch GIFTEDCROOK, while Earth Dahu used an HTA-to-VBScript chain that delivered espionage modules.

    Show sources
    Open in new tab