On August 23, 2023, Group-IB published research revealing that a zero-day vulnerability in WinRAR had been actively exploited since at least April 2023. CVE-2023-38831 allowed attackers to craft ZIP archives that, when opened in WinRAR, would execute arbitrary code when a user clicked on what appeared to be a harmless file like a JPEG image or PDF document.
WinRAR has over 500 million users worldwide. The vulnerability was being exploited for at least four months before it was patched.
How the Exploit Works
The vulnerability exploits a quirk in how WinRAR processes ZIP archives containing files and folders with the same name. Here's the attack flow:
- The attacker creates a ZIP archive containing a benign-looking file (e.g.,
photo.jpg) and a folder with the same name plus a space (e.g.,photo.jpg /). - Inside that folder, the attacker places a malicious executable or script.
- When the victim opens the archive in WinRAR and double-clicks on
photo.jpg, WinRAR incorrectly processes the file, executing the malicious content from the similarly-named folder instead of (or in addition to) opening the benign file.
The user sees a normal-looking image or document open, but in the background, malware has been installed. The exploitation is entirely user-driven—no exploit chains or privilege escalation needed beyond convincing someone to open a file.
Exploitation in the Wild
Group-IB identified the vulnerability while investigating attacks on trading forums. Threat actors were distributing weaponized ZIP archives on forums frequented by financial traders, disguising the malicious archives as trading strategies, market analysis documents, and broker registration forms.
The archives contained what appeared to be PDFs or images, but double-clicking them would install one of several malware families:
- DarkMe: A Visual Basic trojan associated with the Water Hydra (DarkCasino) APT group
- GuLoader: A shellcode-based downloader used to deliver further payloads
- Remcos RAT: A commercial remote access trojan used for surveillance and data theft
At least 130 trader accounts on various forums were confirmed as compromised. The financial motivation was clear: the attackers were using access to trading accounts to steal money directly.
Multiple Threat Actors
The interesting aspect of CVE-2023-38831 exploitation is the diversity of threat actors using it. After Group-IB's disclosure, Google's Threat Analysis Group (TAG) reported that multiple government-backed hacking groups had adopted the exploit:
- Sandworm (Russia/GRU): Used weaponized WinRAR archives in phishing campaigns targeting Ukrainian entities
- APT28/Fancy Bear (Russia/GRU): Deployed the exploit in spear-phishing campaigns against European organizations
- APT40 (China): Incorporated the exploit into campaigns targeting organizations in Papua New Guinea
The rapid adoption by nation-state actors after the initial criminal use shows how quickly zero-day exploits propagate through the threat landscape. Once one group demonstrates a working exploit, others reverse-engineer it or acquire it through underground markets.
The Patch and Aftermath
RARLAB released WinRAR version 6.23 on August 2, 2023, which fixed CVE-2023-38831. However, several factors complicated remediation:
No automatic updates. WinRAR doesn't have an automatic update mechanism. Users must manually download and install new versions. This means millions of users remained vulnerable for months after the patch was available.
Widespread use of pirated copies. WinRAR's "try before you buy" model means many users run unregistered or pirated versions that are never updated. These installations will remain vulnerable indefinitely.
Alternative archiving tools also affected. While the CVE was assigned specifically to WinRAR, the underlying ZIP processing issue raised questions about whether other archiving tools handled similar edge cases correctly.
CISA added CVE-2023-38831 to the Known Exploited Vulnerabilities catalog on October 4, 2023, mandating that federal agencies address the vulnerability.
Why This Matters for Enterprise Security
WinRAR might seem like an unlikely attack vector for enterprise environments, but the reality is different:
It's everywhere. WinRAR is installed on millions of corporate desktops, often without IT awareness. It may have been installed by users, bundled with other software, or inherited from system images.
Archives bypass email filters. Many email security gateways don't deeply inspect the contents of ZIP archives, especially password-protected ones. Weaponized archives are a reliable way to get malware past perimeter defenses.
User behavior is predictable. People open archives and click on files inside them. It's a core workflow. Unlike macro-enabled Office documents (where users have been trained to be suspicious), opening a JPEG from a ZIP file feels safe.
Shadow IT creates blind spots. Organizations that mandate 7-Zip or other archiving tools may still have WinRAR installed on systems they don't track. Without comprehensive software inventory, you can't ensure all instances are patched.
Detection and Response
Detecting CVE-2023-38831 exploitation requires monitoring for:
- WinRAR spawning unexpected child processes, particularly PowerShell, cmd.exe, or script interpreters
- Archives containing files and folders with matching names (plus trailing spaces)
- Network connections initiated shortly after WinRAR execution
YARA rules and Sigma detection rules were published by multiple security vendors within days of the disclosure.
How Safeguard.sh Helps
Safeguard.sh maintains comprehensive software inventory across your organization's endpoints, including commonly overlooked applications like WinRAR. Our platform tracks installed software versions, flags known vulnerable versions against CVE databases, and monitors for applications that lack automatic update mechanisms—ensuring that tools outside your managed software catalog don't become blind spots in your security posture. When vulnerabilities like CVE-2023-38831 are disclosed, Safeguard.sh immediately identifies every affected installation in your environment and tracks remediation progress.