Patch Now: APTs Continue to Pummel WinRAR Bug

State-sponsored cyber-espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the softwares footprint.

State-sponsored threat actors from
Russia
and
China
continue to throttle the remote code execution (RCE)
WinRAR
vulnerability in unpatched systems to deliver malware to targets.
Researchers at Googles Threat Analysis Group (TAG) have been tracking attacks in recent weeks that exploit
CVE-2023-38831
to deliver infostealers and backdoor malware, particularly to organizations in Ukraine and Papua New Guinea. The flaw is a known and patched vulnerability in RarLabs popular WinRAR file archiver tool for Windows, but systems that havent been updated remain vulnerable.
TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations, Kate Morgan from Google TAG wrote in
a blog post
.
Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR, according to Google TAG. On Sept. 6,
Sandworm
launched an email campaign impersonating a Ukrainian drone warfare training school using an invitation to join the school as a lure.
The infamous
APT28
(aka Frozenlake, Fancy Bear, Strontium, or Sednit), another
Russia-backed group
, also used the flaw to deliver malware, which was targeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine.
Meanwhile, a phishing campaign from China-backed group
IslandDreams (APT40)
delivered infostealers to users in Papua New Guinea.
RarLab issued a beta patch for the issue on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2, but many systems remain vulnerable and thus ripe for exploitation, Morgan noted. After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage, she wrote.
Group-IB discovered CVE-2023-38831 — a logical vulnerability within WinRAR — in July. However, APT groups already had been exploiting the flaw as a zero-day bug since April — including
one
by the Russia-backed threat group Evilnum that used weaponized ZIP files to target cryptocurrency traders.
The potential to exploit the flaw comes when the temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces, according to Google TAG.
The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive, Morgan wrote.
Later, mere hours after Group-IB posted its blog post outlining its discovery and analysis of the flaw, proof-of-concept exploits (PoCs) — including
fake ones
— and exploit generators appeared on
public GitHub repositories
. These fueled further and ongoing attacks on vulnerable systems.
In the Sandworm attack, the messages included a link to an anonymous file-sharing service, fex[.]net, which, in turn, delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The files payload was Rhadamanthys, a commodity infostealer that can exfiltrate, among other things, browser credentials and session information. Google TAG noted that use of commodity malware is not typical of Sandworm.
Meanwhile, Google TAG observed APT28 using a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks, and then yet again to another stage, which would ensure the visitor was coming from an IPv4 address in Ukraine. At this point the user would be prompted to download a file containing a CVE-2023-38831 exploit.
In late July and early August, the researchers also observed an APT28 attack that dropped the PowerShell script IronJaw, which steals browser login data and local state directories. The attack vector — which drops a BAT file that opens a decoy PDF file and creates a reverse SSH shell to an attacker-controlled IP address — was a new addition to the APTs toolkit, according to Google TAG.
Google TAG has linked a fourth recent WinRAR attack to China-backed IslandDreams — which also is tracked as Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp — through a phishing campaign in late August that targeted users in Papua New Guinea. The phishing emails included a Dropbox link to a ZIP archive containing a CVE-2023-38831 exploit in the form of a password-protected decoy PDF and an LNK file, which led to a next-stage payload known as Islandstager.
The Islandstager payload executes and decodes several layers of shellcode, the last of which loads and executes the final payload, BOXRAT, a .NET backdoor that uses Dropbox API as a command-and-control mechanism.
Google TAG included indicators of compromise (IOCs) for the various attack scenarios to help users identify if their system is being exploited.
In the meantime, WinRAR users are urged to update their systems if they havent already, as the campaigns highlight yet again the importance of
timely patching — something that still seems to be a global challenge
for software users, Morgan noted.
These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date, she wrote.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Patch Now: APTs Continue to Pummel WinRAR Bug