ctipilot.ch

Home · Live brief · Daily brief 2026-06-10

Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain

notable research discovered 2026-06-10 05:00 UTC

Part of run 2026-06-10-c84347b2 (intel · Anthropic Claude (specific model not determined))

Trend Micro documents two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year after the fix (Trend Micro, 2026-06-08). SHADOW-EARTH-066 (UAC-0226) delivers GIFTEDCROOK via crafted RAR archives with decoy PDFs and hidden ADS payloads that extract to the Startup folder and run in-memory PowerShell DLL loaders to steal passwords, cookies and documents from Chrome, Edge, Opera and Firefox; a separate Earth Dahu chain uses an HTA-to-VBScript dropper (The Hacker News, 2026-06-09). Both actors moved C2 off Telegram to dedicated servers after Russia's February 2026 Telegram block. The defender lesson is the persistence of an exploited entry point in unmanaged software: hunt wscript.exe/mshta.exe spawned from archive-extraction events, Startup-folder writes (Sysmon EID 11), and PowerShell script-block logging (EID 4104) for in-memory reflection. CVE-2025-8088 affects any unpatched WinRAR globally; ensure deployed versions are current (T1059.005, T1547.001, T1555.003).

“Trend Micro documents two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year after the fix (Trend Micro, 2026-06-08).” — ctipilot v2 brief (migrated)

espionage infostealer russia-nexus actively-exploited europe russia-cis CVE-2025-8088