result.dll

We track the binary payload chain (CVE-2025-8088 to LNK to PowerShell to result.dll ) under SHADOW-EARTH-066 ... Earth Dahu uses Cloudflare Workers as a C&C proxy and relies on script-based tooling (HTA, VBScript, PowerShell).

The two campaigns examined in this report share the same initial exploit (CVE-2025-8088) and overlapping victimology... Despite CVE-2025-8088 was patched in WinRAR 7.13 in July 2025, yet at the time of writing, multiple threat actor groups continued to build new exploit samples with fresh lure documents and use this vulnerability as a reliable initial access vector against Ukrainian organizations.

We track the binary payload chain (CVE-2025-8088 to LNK to PowerShell to result.dll ) under SHADOW-EARTH-066

We track the binary payload chain (CVE-2025-8088 to LNK to PowerShell to result.dll ) under SHADOW-EARTH-066

SHADOW-EARTH-066 communicates with direct IP-based C&C servers and delivers a compiled x86-64 DLL with PEB-walk API resolution and RC4-encrypted strings.

SHADOW-EARTH-066 communicates with direct IP-based C&C servers and delivers a compiled x86-64 DLL with PEB-walk API resolution and RC4-encrypted strings.

SHADOW-EARTH-066 communicates with direct IP-based C&C servers ... Earth Dahu uses Cloudflare Workers as a C&C proxy ... C&C infrastructure pattern (Dynamic DNS with Cloudflare Workers) are identical.

Our analysis confirms that result.dll is a direct evolution of GIFTEDCROOK, the stealer that CERT-UA attributed to UAC-0226 in April 2025. The two share the same compiler toolchain, cryptographic framework, anti-analysis checks, and exfiltration protocol... SHADOW-EARTH-066 uses it to deploy an evolved information stealer