Earth Entries alive and kicking
Essential information
- Published
- 28/10/2025 03:04
- Modified
- 28/10/2025 10:00
- Tags
- 2025-10-28 CVE-2025-8088 shadowpad snappybee winrar
- Related entities
- 1 vulnerabilities (cve), 10 observables, 1 intrusion sets (apt), 10 techniques (mitre), 3 malware
Description
Earth Estries, a China-nexus APT actor, has launched a new campaign exploiting a recent WinRAR vulnerability. The attack chain involves multiple stages, including the use of encrypted stubs, hijacked DLLs, and fake PDFs with ADS streams. The group, known for using implants like Snappybee and ShadowPad, ultimately executes shellcode through this sophisticated process. The blog post provides detailed indicators of compromise, including file hashes, filenames, and network indicators. Associated Yara rules are available on the author's GitHub repository. This campaign demonstrates Earth Estries' continued activity and evolution in their tactics, techniques, and procedures.