Earth Entries alive and kicking

SUMMARY :

Earth Estries, a China-nexus APT actor, has launched a new campaign exploiting a recent WinRAR vulnerability. The attack chain involves multiple stages, including the use of encrypted stubs, hijacked DLLs, and fake PDFs with ADS streams. The group, known for using implants like Snappybee and ShadowPad, ultimately executes shellcode through this sophisticated process. The blog post provides detailed indicators of compromise, including file hashes, filenames, and network indicators. Associated Yara rules are available on the author's GitHub repository. This campaign demonstrates Earth Estries' continued activity and evolution in their tactics, techniques, and procedures.

OPENCTI LABELS :

shadowpad,winrar,snappybee,cve-2025-8088


AI COMMENTARY :

1. Earth Entries alive and kicking underscores Earth Estries’ return to the threat landscape with a new campaign that capitalizes on a recently disclosed WinRAR vulnerability identified as CVE-2025-8088. This China-nexus APT actor has long been associated with sophisticated malware implants and targeted operations across multiple industries.

2. The initial vector leverages a weaponized WinRAR archive exploiting CVE-2025-8088. Once the archive is opened, an encrypted stub is executed, which in turn hijacks the legitimate WinRAR DLL to load additional payload components, effectively evading traditional signature-based detections.

3. Subsequent phases involve the deployment of decoy PDF files that utilize NTFS Alternate Data Streams (ADS) to conceal loader binaries. These binaries decrypt and install the Snappybee implant, which establishes a covert communication channel back to the attackers’ command-and-control servers.

4. In the campaign’s final stage, operators deploy the ShadowPad implant by injecting shellcode into memory. ShadowPad’s modular architecture allows Earth Estries to execute post-exploitation tasks ranging from data exfiltration to lateral movement, demonstrating the group’s adaptive TTPs.

5. Detailed indicators of compromise include SHA256 file hashes, suspicious filenames designed to mimic corporate documents, and network indicators such as specific domain patterns and IP addresses linked to command-and-control infrastructure. Security teams should integrate these IOCs immediately to enhance detection and response capabilities.

6. Publicly available Yara rules on the author’s GitHub repository enable defenders to identify components of this campaign. Organizations are strongly advised to apply the WinRAR security update for CVE-2025-8088, enforce rigorous ADS monitoring, and implement advanced endpoint detection solutions to prevent Snappybee and ShadowPad infections. Earth Estries’ continued innovation in attack methodology calls for proactive threat intelligence and robust defense strategies.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Earth Entries alive and kicking