"how unmanaged software keeps an exploited entry point open long after the fix ships," Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said in an analysis published Monday.
CVE-2025-8088 and the July 2025 WinRAR patch
Attackers have continued to weaponize CVE-2025-8088, a WinRAR path traversal vulnerability that permits writing files outside the intended extraction directory via NTFS Alternate Data Streams (ADS). WinRAR patched the flaw in July 2025, but Trend Micro's analysis shows exploitation persisted across multiple campaigns well after that fix was released.
SHADOW-EARTH-066’s RAR ADS infection chain and GIFTEDCROOK
Trend Micro attributes one exploitation stream to SHADOW-EARTH-066 (aka UAC-0226). The actor shifted from Excel macro droppers to crafted RAR archives that include a decoy PDF and three hidden ADS payloads placed outside the extraction directory. One ADS is a Windows Shortcut (LNK) written into the Startup folder so it executes at user logon. That shortcut launches cmd.exe, which spawns a PowerShell loader; the loader uses in-memory DLL loading to launch an updated information stealer — an updated version of GIFTEDCROOK delivered as "result.dll."
The GIFTEDCROOK variant targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, and Opera) and Mozilla Firefox, and it harvests documents matching specific extensions from a victim machine. Trend Micro reports that, after exfiltrating harvested data to an external server, the attack deletes malicious artifacts to hinder forensic analysis.
Earth Dahu’s HTA-to-VBScript chain: GammaPhish, GammaLoad, and GammaSteel
A second Russia-aligned group, Earth Dahu (aka Gamaredon), incorporated CVE-2025-8088 into its toolkit no later than September 2025. Trend Micro describes an HTA-to-VBScript infection chain that deploys espionage modules. According to the report — corroborated by Sekoia's findings last week — the chain drops an HTML Application (GammaPhish), which retrieves a VBScript downloader named GammaLoad.
Sekoia characterizes GammaLoad as "a collection of VBScripts designed to ensure continuous access and deploy payloads over time by leveraging Dead Drop Resolvers (DDR)." GammaLoad is used to deploy a dropper and a VBScript loader that executes GammaSteel, an information stealer capable of monitoring file changes in real time. Trend Micro notes RAR internal file timestamps and naming conventions show this chain remained active through at least April 10, 2026.
Operational change: from Telegram to dedicated command-and-control servers
A notable change observed by Trend Micro is the move away from Telegram-based exfiltration to dedicated command-and-control (C2) servers. The report describes the switch as "a key modification that likely aligns with Russia's blocking of the messaging platform in the country earlier this February." The shift alters how data leaves infected networks and modifies responder priorities for detecting outbound communications.
What this means for technologists, procurement leaders, and Ukrainian organizations
- Technologists and security teams will need to watch for ADS-based implant delivery, LNK files appearing in Startup, PowerShell in-memory DLL execution, and indicators tied to GIFTEDCROOK, GammaLoad, and GammaSteel — all specific elements Trend Micro and Sekoia detail.
- Procurement leaders and IT managers should note Trend Micro's central observation: WinRAR is "deeply embedded in daily operations across Ukrainian organizations," meaning unmanaged or unpatched copies can keep an exploited entry point open long after a vendor patch is available.
- Ukrainian organisations face the immediate operational impact of both an "established state-backed group" and independently tracked clusters converging on the same software vulnerability, increasing the scale and persistence of the threat the report documents.
The convergence of SHADOW-EARTH-066 and Earth Dahu on CVE-2025-8088 — using distinct chains that range from RAR ADS plus in-memory DLL loading to HTA-to-VBScript downloaders leveraging DDR mechanisms — illustrates a persistent adversary strategy: exploit a common, widely used utility and then adapt multiple delivery and exfiltration methods. Trend Micro's timeline and Sekoia's corroboration make clear that, despite a July 2025 patch, the vulnerability remained an active vector through at least April 10, 2026. Closing that window, the researchers imply, depends less on a single patch and more on whether organisations can eliminate unmanaged software and the lingering access it affords adversaries.
