Russia's Cyber Units Weaponize Everyday Tools Like WinRAR to Sustain Ukraine Espionage Campaigns

The Trend Micro disclosure on CVE-2025-8088 exploitation by Earth Dahu and SHADOW-EARTH-066 reveals more than delayed patching in Ukrainian environments; it exposes the deliberate convergence of commodity software abuse with state-directed persistence operations. Both groups have shifted from earlier vectors—Gamaredon’s Excel macros and Earth Dahu’s prior HTA chains—to NTFS Alternate Data Streams that place LNK files directly in Startup folders, ensuring execution on every logon without triggering standard AV signatures. This evolution mirrors patterns seen in earlier Russian operations documented by ESET in 2023-2024, where similar path-traversal tactics targeted Ukrainian logistics and energy firms using tools like 7-Zip and PDF readers. The move away from Telegram C2 toward dedicated servers after Moscow’s February 2026 block on the platform further illustrates adaptive tradecraft that anticipates domestic policy constraints while maintaining operational reach. Sekoia’s concurrent reporting on GammaLoad’s Dead Drop Resolvers adds another layer: these VBScript-based loaders enable modular deployment of GammaSteel, which monitors file changes in real time, a capability that complements Earth Dahu’s long-term access doctrine. Mainstream coverage often frames these incidents as routine malware updates, missing the strategic signal that Russia-aligned actors treat widely deployed, poorly managed software as force multipliers in hybrid conflict. Ukrainian organizations’ heavy reliance on WinRAR for document handling creates an asymmetric advantage for attackers who need only one unpatched endpoint to establish durable footholds. The pattern suggests future campaigns will target other ubiquitous utilities—such as archive managers or office plugins—rather than novel zero-days, sustaining espionage at lower cost while Western attention remains fixed on kinetic developments.