Trusted DesignTwo Russia-aligned campaigns continue exploiting CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, against Ukrainian organizations through April 2026. SHADOW-EARTH-066 deploys an evolved GIFTEDCROOK information stealer using in-memory DLL loading via direct NT system calls, harvesting browser credentials, session cookies, and documents across 35 file extensions before self-deleting. Earth Dahu employs an HTA-based infection chain delivering espionage modules through Cloudflare Workers infrastructure. Both campaigns leverage the same CVE-2025-8088 exploit but use distinct tooling: SHADOW-EARTH-066 relies on compiled C++ with RC4-encrypted C&C communication, while Earth Dahu uses script-based approaches with Dynamic DNS. The persistent exploitation nearly a year post-patch demonstrates how unmanaged software lacking centralized update mechanisms creates enduring attack surfaces that threat actors deliberately target.
Created: 2026-06-09
Indicatorsは見つかっていない。
類似するPulseは見つかりませんでした。
事実ベースの脅威アクターは見つかりませんでした。
推論ベースの脅威アクターは見つかりませんでした。
このPulseに見つかったCVEはありません。