Overview of CVE-2025-8088 Exploitation
The exploitation of CVE-2025-8088, a path traversal flaw in WinRAR, has persisted long after its patch release in July 2025. This vulnerability enables attackers to write files outside the intended extraction directory by leveraging NTFS Alternate Data Streams (ADS). Despite the availability of fixes, unmanaged software continues to serve as a breeding ground for exploitation. Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord have highlighted these issues in their recent analysis, underscoring how negligence in patch management provides an open door for adversaries.
Two distinct Russia-aligned groups, Earth Dahu and SHADOWEARTH066, have operationalized this flaw. Their campaigns reveal a shift in tactics, moving away from older methods such as Excel macros to more sophisticated payload delivery mechanisms. The exploitation underscores the importance of stringent software monitoring and patch application in mitigating persistent vulnerabilities.
SHADOWEARTH066's Exploit Chain
SHADOWEARTH066 has devised an advanced exploit chain that departs from its traditional use of Excel macro droppers. This threat actor now employs crafted RAR archives containing decoy PDF files alongside three hidden ADS payloads. These payloads extend beyond the extraction directory, initiating infection through a Windows Shortcut (.LNK) file strategically placed in the Startup folder. This ensures automatic execution upon user login.
The infection process further escalates through a PowerShell loader invoked via cmd.exe, leading to in-memory DLL loading. The final payload is an updated version of the GIFTEDCROOK malware, which specializes in extracting sensitive information such as passwords and cookies from Chromium-based browsers like Chrome and Edge, as well as Firefox. Additionally, the malware targets specific document extensions for exfiltration, emphasizing its focus on high-value data.
Earth Dahu's Long-Term Access Strategy
Earth Dahu demonstrates a contrasting approach by integrating CVE-2025-8088 into its arsenal since September 2025. Known for its industrial-scale efforts, this group prioritizes long-term access to compromised organizations. Their infection chain employs an HTA-to-VBScript mechanism, showcasing another layer of complexity in operational tactics.
The group's focus on persistence highlights the need for organizations to invest in robust intrusion detection and response mechanisms. By leveraging unpatched software vulnerabilities, Earth Dahu exemplifies how advanced threat actors capitalize on systemic weaknesses to maintain covert access.
Shifting Exfiltration Channels
A notable adaptation in these campaigns is the move away from Telegram as an exfiltration channel, likely due to its recent blockage in Russia. Both groups have transitioned to using dedicated command-and-control (C2) servers. This shift indicates an evolution in their operational security practices, aimed at maintaining reliable data exfiltration mechanisms.
The use of C2 servers not only facilitates more controlled data handling but also complicates forensic investigations. By deleting malicious artifacts post-exfiltration, the attackers effectively obscure their tracks, adding another layer of difficulty for incident response teams.
Implications for Enterprise Security
These campaigns underscore the risks posed by unmanaged software and delayed patch application. Organizations must prioritize vulnerability management to prevent such flaws from serving as entry points for adversaries. Automated update mechanisms and rigorous inventory checks can significantly reduce exposure to similar risks.
Furthermore, the advanced techniques employed by Earth Dahu and SHADOWEARTH066, including multi-layered payload delivery and in-memory malware execution, highlight the necessity for endpoint detection and response (EDR) solutions. These tools are critical in identifying and mitigating threats that bypass traditional security measures.