Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 7+] Multiple Threat Actors Exploit WinRAR Vulnerability

Executive Summary

Google Threat Analysis Group (TAG) has detected state-backed threat actors from Russia and China exploiting a security flaw in the WinRAR archiver tool for Windows.

The vulnerability, known as CVE-2023-38831, allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The activities have been attributed to three different clusters tracked by TAG. These threat actors have been launching phishing attacks and distributing malicious ZIP files to exploit the WinRAR flaw.

The fix for the vulnerability is available. It is crucial to update WinRAR to the latest version (v6.23) as soon as possible to prevent attacks.

About the Vulnerability

CVE-2023-38831, with a CVSS score of 7.8, allows attackers execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

When a user opens the decoy file in WinRAR, a malicious script is executed, allowing the installation of malware such as DarkMe, GuLoader, and/or Remcos RAT.

To address this vulnerability, RARLAB has released a fix in the latest WinRAR update (v6.23). The flaw has been exploited in the wild since April 2023. Despite the availability of patches, the widespread exploitation suggests that there are still many instances that have not been patched.

About the Attacks

Attacks by State-backed Threat Actors:

CVE-2023-38831 has been exploited by state-backed threat actors from Russia and China. TAG identified these activities and linked them to three main groups: FROZENBARENTS (Sandworm), FROZENLAKE (APT28), and ISLANDDREAMS (APT40).

Attacks by Financially Motivated Attackers:

The same WinRAR flaw, CVE-2023-38831, was exploited to target traders, leading them to install malware which allowed attackers to siphon money from their broker accounts. Group-IB discovered that at least 130 traders were affected by the malware. The decoy files would install DarkMe, GuLoader, and Remcos RAT malware, giving remote access to the attacker. These financially motivated attackers reached out to traders on specialized forums, providing harmful files even after forum administrators warned of their presence.


To mitigate the risks associated with CVE-2023-38831, it is recommended to:

  • Update WinRAR to the latest version (v6.23) that includes the fix.
  • Be cautious when opening ZIP archives, especially from unknown or untrusted sources.
  • Regularly update and maintain robust antivirus and anti-malware software.
  • Stay informed about the latest security vulnerabilities and apply patches promptly.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.