Executive Summary

A critical path traversal vulnerability in WinRAR (CVE-2023-38831) continues to be actively exploited by a diverse array of threat actors, including advanced persistent threat (APT) groups and financially motivated cybercriminals. This flaw enables attackers to craft malicious archive files that, when extracted by vulnerable versions of WinRAR, can deposit malware into arbitrary locations on a victim’s system, such as the Windows Startup folder, thereby achieving persistent code execution. Despite the release of a patch in August 2023, exploitation remains widespread due to slow patch adoption and the prevalence of legacy software. This advisory provides a comprehensive technical analysis of the vulnerability, details on threat actor tactics, techniques, and procedures (TTPs), real-world exploitation scenarios, victimology, and actionable mitigation strategies.

Threat Actor Profile

Multiple threat actors are leveraging the WinRAR path traversal vulnerability, with notable campaigns attributed to the RomCom APT (also known as Storm-0978, Tropical Scorpius, UNC2596), StrongPity (PROMETHIUM), and BlindEagle. RomCom is a Russia-aligned group known for both espionage and cybercrime, targeting sectors such as finance, defense, and logistics across Europe and North America. StrongPity is a Turkish-speaking APT active since at least 2012, notorious for delivering trojanized versions of legitimate software, including WinRAR. BlindEagle is a Spanish-speaking group active in South America, particularly Colombia, and is known for sophisticated phishing campaigns. Additionally, open-source and commercial threat intelligence sources report opportunistic exploitation by other, less well-attributed actors, including cybercriminals targeting cryptocurrency traders and government entities.

Technical Analysis of Malware/TTPs

The core of the vulnerability (CVE-2023-38831) lies in WinRAR’s improper handling of file paths within specially crafted archive files. Attackers embed files with directory traversal sequences (such as ..\..\) or exploit file extension spoofing, allowing them to place executable payloads in sensitive directories outside the intended extraction path. When a user opens a benign-looking file (e.g., a PDF or JPG) within the archive, WinRAR may also process a hidden folder with the same name, executing malicious content.

Malware delivered via this vector includes a range of payloads:

• Mythic agent: Utilizes COM hijacking through registry manipulation for persistence, communicates with C2 infrastructure such as

  srlaptop[.]com

  .

• SnipBot variant: A modified version of PuTTY CAC, featuring anti-analysis techniques like checking for recent document activity, and C2 at

  campanole[.]com

  .

• RustyClaw/MeltingClaw: Rust-based downloaders with C2 at

  melamorri[.]com

  and

  gohazeldale[.]com

  .

• Remcos RAT and Agent Tesla: Commodity remote access trojans used by groups like BlindEagle.

Persistence is typically achieved by dropping malicious LNK files into the Windows Startup folder, ensuring execution upon system reboot. Additional payloads may be written to %TEMP% or %LOCALAPPDATA%. Many samples are signed with invalid or self-signed certificates to evade basic signature checks. Some campaigns employ anti-sandboxing and anti-VM checks, such as monitoring for recent document activity or hardcoded domain lookups, to avoid detection by automated analysis systems.

Exploitation in the Wild

Since its public disclosure, the WinRAR path traversal flaw has been weaponized in a variety of campaigns. Notably, from April to October 2023, Google’s Threat Analysis Group (TAG) and Group-IB observed government-backed actors exploiting the vulnerability to target trading accounts and government agencies. Attackers typically deliver malicious archives via spearphishing emails, often masquerading as job applications, government correspondence, or financial documents. For example, emails with subjects like “Experienced Web3 Developer – CV Attached for Consideration” or “Application for Job Openings” have been observed, with attachments such as Eli_Rosenfeld_CV2 - Copy (10).rar or JobDocs_July2025.rar.

Upon extraction, the malicious archive places a LNK file in the Startup folder and drops additional payloads in user-writable directories. The malware then establishes persistence and connects to attacker-controlled C2 infrastructure. In some cases, the campaigns are highly targeted, focusing on specific organizations or sectors, while in others, broad phishing campaigns are used to compromise as many victims as possible.

Victimology and Targeting

Victims span a wide range of sectors and geographies. High-profile targets include financial institutions, defense contractors, logistics companies, and government agencies in Europe, North America, South America (notably Colombia), the Middle East (including Egypt, Syria, Turkey, Algeria, Lebanon, Armenia, Iran), and the Asia-Pacific region (notably Vietnam). RomCom and StrongPity have focused on organizations with strategic value, while BlindEagle and other cybercriminals have targeted individuals and businesses for financial gain, including cryptocurrency traders and private sector employees. The use of localized lures and language-specific phishing emails indicates a high degree of operational sophistication and targeting.

Mitigation and Countermeasures

Immediate mitigation requires upgrading WinRAR to version 6.23 or later, as this release addresses the path traversal vulnerability. Organizations should also ensure that any software leveraging UnRAR.dll or the portable UnRAR source code is updated accordingly. Security teams should implement email filtering to block or quarantine archive attachments from untrusted sources and educate users about the risks of opening unsolicited archives.

Network and endpoint monitoring should be configured to detect the listed indicators of compromise (IOCs), including file hashes and C2 domains such as gohazeldale[.]com, srlaptop[.]com, melamorri[.]com, and campanole[.]com. Regularly review Startup folders and user-writable directories for suspicious LNK, DLL, or EXE files. Employ application whitelisting and endpoint detection and response (EDR) solutions to prevent unauthorized code execution. Finally, maintain a robust patch management process to ensure timely updates of all third-party software.

References

ESET Research: Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

CVE-2023-38831 - NVD

Group-IB: WinRAR flaw exploited in the wild

Google TAG: Government-backed actors exploiting WinRAR vulnerability

BleepingComputer: WinRAR zero-day exploited since April to hack trading accounts

CISA Known Exploited Vulnerabilities Catalog

MITRE ATT&CK Framework

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and address vulnerabilities, ensuring robust protection against evolving cyber threats. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, we are happy to answer questions at ops@rescana.com.