Not surprisingly, WinRAR vulnerability is actively exploited

published: Oct. 18, 2023

Take action: If you haven't updated your WinRAR to the latest version, do it now. Maybe you are still lucky and the hackers haven't targeted you yet.

Learn More

Google's Threat Analysis Group has issued a warning about an actively exploited vulnerability in the file archiving and compression software WinRAR, known as CVE-2023-38831, which affects versions of WinRAR prior to 6.23.

The vulnerability in allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

This vulnerability was initially detected in April, and despite a patch being released, many users remain vulnerable due to the flaw in WinRAR's file extraction logic, enabling attackers to execute malicious code on a user's system when trying to view a file within a ZIP archive using WinRAR.

Allegedly state-sponsored and financially motivated hacking groups have been exploiting this vulnerability, with two notable groups, Frozenbarents and Frozenlake, linked to Russia's GRU agency, known for impersonating a Ukrainian training school and targeting Ukrainian government organizations, especially the country's energy infrastructure.

Islanddreams, another group believed to have ties to Chinese groups, also exploited the vulnerability to target Papua, New Guinea, using phishing emails with Dropbox links to ZIP archives.

While Rarlab GmbH, the developer of WinRAR, issued another patch in August for an ever higher severity vulnerability, the persistence of malicious campaigns exploiting an old vulnerability indicates that many users haven't updated their WinRAR despite all warnings.

Update - During November, APT29 hacking group has been conducting cyberattacks against embassies by exploiting the WinRAR vulnerability and using Ngrok's static domains to disguise communication with their command and control servers. This campaign uses a mix of old phishing tactics - claiming to sell diplomatic vehicles - as well as new techniques to remain undetected while delivering malicious payloads.

Not surprisingly, WinRAR vulnerability is actively exploited