Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open

Indicators of Compromise (IoCs)
================================================================================================================================================================

Type        IoC                                                               Description
IP Address  166[.]0[.]132[.]237                                               SHADOW-EARTH-066: C&C server (port 7044)
IP Address  136[.]0[.]141[.]41                                                SHADOW-EARTH-066: C&C server (port 9580)
IP Address  136[.]0[.]141[.]138                                               SHADOW-EARTH-066: C&C server (port 8406)
IP Address  38[.]225[.]209[.]229                                              SHADOW-EARTH-066: C&C server (port 9623)
IP Address  136[.]0[.]141[.]112                                               SHADOW-EARTH-066: Potential C&C server (port 9200)
IP Address  38[.]225[.]209[.]122                                              SHADOW-EARTH-066: Potential C&C server (port 8009)
IP Address  23[.]26[.]237[.]80                                                SHADOW-EARTH-066: Potential C&C server (port 8941)
URL         hxxps://166[.]0[.]132[.]237:7044/rcv/                             SHADOW-EARTH-066: C&C exfiltration endpoint
URL         hxxps://136[.]0[.]141[.]41:9580/rcv/                              SHADOW-EARTH-066: C&C exfiltration endpoint
URL         hxxps://136[.]0[.]141[.]138:8406/rcv/                             SHADOW-EARTH-066: C&C exfiltration endpoint
URL         hxxps://38[.]225[.]209[.]229:9623/rcv/                            SHADOW-EARTH-066: C&C exfiltration endpoint
SHA256      3d371ef71e40c34a75c168d4647db096c2f386499d99a88d4e16b63cd4acda25  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (court summons decoy)
SHA256      44f6f7ba668fc645129d66353e6f60402822ae929ce54648cae0bba6348a18ea  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (court summons decoy, alternate build)
SHA256      718465f44c0680740fb61790eda3d2f4c5218c9de0c560299c580fa1602dc9c7  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (military registry decoy)
SHA256      8150b2b39fa62fa2de177ed8526c621a3581c0eb481dd9740fc5894ce2b7c13b  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (supply company decoy)
SHA256      e9d6938c9980cab735e8fb2eaa082ddc6f5dd7f2ff84d8ece01e8caaefdbb930  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (engineer company decoy)
SHA256      65c053030558b4a3588e2590c5c4961a9912180b731686deb3f4c831e765a095  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (court summons decoy)
SHA256      37b42a83715f7a34e00d3458d4f4b6e53b8c95372677ce020a2e38e80e60ba87  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (court summons decoy)
SHA256      7200a9f1e1ea51b66ab9c9274e9d8f805633179634e8ff4dcb8ef82bc02518df  SHADOW-EARTH-066: CVE-2025-8088 exploit RAR (military registry decoy)
SHA256      2d9adb7932b7842dfb0e0f453b87e5d28dd4552094105e6340bad009956d8c2b  SHADOW-EARTH-066: result.dll decoded from ND8 (C&C: 166[.]0[.]132[.]237:7044)
SHA256      4e21c4c97aeb391473ee1e44961676f32de2ee8b56ecb136c1d8081df97c3db4  SHADOW-EARTH-066: result.dll decoded from YDV (C&C: 136[.]0[.]141[.]41:9580)
SHA256      6083aac5376b7ca74cc363e0d66f70beaffee543d098c612b820b16fbfb0aa52  SHADOW-EARTH-066: result.dll decoded from YDV (alternate build)
SHA256      e08dcb80346ded2bb2393a180e3f2612ed4c2ff0d3842390a5b527d003060212  SHADOW-EARTH-066: result.dll decoded from QB5k (C&C: 166[.]0[.]132[.]237:7044)
SHA256      3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59  SHADOW-EARTH-066: result.dll decoded from WnX (C&C: 38[.]225[.]209[.]229:9623)
SHA256      2a8ea9f1ad8936fb302243faa64b91c5767df411923715cbdb1a869e3bfd7e6d  SHADOW-EARTH-066: result.dll decoded from Arj (C&C: 136[.]0[.]141[.]138:8406)
SHA256      507b2fcdae058cebbd550965b90c44e878d7a2463058c846eeb68f0dc1b48eda  SHADOW-EARTH-066: LNK Startup file (bfF3BxteabXqg.lnk)
SHA256      1c170b7470d507378ddb78e9d66305f1184e965baaf2d27ededb23a318a58953  SHADOW-EARTH-066: LNK Startup file (yXZ9BtFU2OewE.lnk)
SHA256      bf338d88f60c0d352cd0d1b5e4bc6a1d9f1ac8fe1df48516ec0042cafda821e9  SHADOW-EARTH-066: LNK Startup file (bSU3CQN_vy.lnk)
SHA256      f9d2907d6b1de3078a0f111cc98764a92baf5ebd06cc8ab02637a65eff3b7f3a  SHADOW-EARTH-066: LNK Startup file (QhVES3g47D9.lnk)
SHA256      f668bd551859007cf2cc2a62bf0bf5414870a04e9782590c9bf85c849ddb308b  SHADOW-EARTH-066: LNK Startup file (ojMP31J28ohEDxT.lnk)
SHA256      d1d26b0f68e26ac591848796aeef7b9c766442bbff47af8823f9b23d1b588836  SHADOW-EARTH-066: LNK Startup file (alternate)
SHA256      89d20418450b34efe698bd36214100cfa49f60adf1c39a8bc8d65991b1ce2c23  SHADOW-EARTH-066: PowerShell loader (KKN, 73,473 bytes)
SHA256      ce78748acd8e9be741b143ad716d735dc682bd5a010427a199744b81456f8e35  SHADOW-EARTH-066: PowerShell loader (U0U, 69,024 bytes)
SHA256      378809699c7252dc38b31969b9cc40858397759f15d6e418246dfaba9088fdd1  SHADOW-EARTH-066: PowerShell loader (NdV, 66,136 bytes)
SHA256      7d3ba419751e5ea52b567e1162f6a366bf3d06c44c8956a9f14520e9fb6ed0b1  SHADOW-EARTH-066: PowerShell loader (uaP, 68,940 bytes)
SHA256      a717dd74c01fcfce35a28f374e1c6f9ded06d6f7b0cc04618ce9454ad64febb8  SHADOW-EARTH-066: PowerShell loader (O5fE, 69,899 bytes)
SHA256      dc5082b07eb994ddee343a4080dce0a9ec2e891e5690654e24ae74ba9eabe422  SHADOW-EARTH-066: SUB-encoded payload (ND8, key 0x38)
SHA256      b01f31c9541579ad34f4e50acafec252eb419f5b1ca98155e0ec84c19d12c9e4  SHADOW-EARTH-066: SUB-encoded payload (YDV, key 0x71)
SHA256      82fda6ea769d61aba230c3487787087cec53dd378e22f22a8fb8f0bd5ae83ded  SHADOW-EARTH-066: SUB-encoded payload (QB5k, key 0x44)
SHA256      77963398e2c5c2fdf9d28d9c5f9c2791cfbf422ba02225e01635dd7f5b31eff8  SHADOW-EARTH-066: SUB-encoded payload (WnX, key 0x35)
SHA256      e6bd725a2af981cd2b5c2217c1d7d906369d8daf48f02023fb73635f9e2b9659  SHADOW-EARTH-066: SUB-encoded payload (Arj, key 0x75)
SHA256      023c8f8e2a71da2044e3f04ac74c8b3616f417436476cea85222f01119615979  SHADOW-EARTH-066: Decoy PDF (court summons, Dnipropetrovsk)
SHA256      2a6ce2445c096fc5e577a0af513ba6f4fb8a8097764c7df81824a782e07e7f65  SHADOW-EARTH-066: Decoy PDF (court summons, alternate)
SHA256      c2527a907b209bc4ce911e36b79781ec260f0851eeb466dbeb386d67fec11467  SHADOW-EARTH-066: Decoy PDF (military registry)
SHA256      22b07d2af98bb180474c33d93861124bbdf9b5dd7e42a8bddc654310469a9a2c  SHADOW-EARTH-066: Decoy PDF (supply company)
SHA256      68bafc624a4c0d11ef7a949c0077c704aa5ba0a3205fe5b62d29b727b46ccfe4  SHADOW-EARTH-066: Decoy PDF (engineer company)
SHA256      276789b3b946753e9be482219bc4526da2da8772701f3b9d00c74038e2604ece  SHADOW-EARTH-066: Decoy PDF (court summons)
SHA256      5d164b6d74dae9fe3022bc3cf453cd8b846e9cdc0cd616246fe620be88e3f1e5  SHADOW-EARTH-066: Decoy PDF (military registry)
domain      astrocaf[.]com                                                    Earth Dahu: Attacker-controlled email sending domain
IP Address  194[.]58[.]66[.]82                                                Earth Dahu: IP associated with astrocaf[.]com
IP Address  194[.]58[.]66[.]53                                                Earth Dahu: IP associated with astrocaf[.]com