More WinRar security flaws are being exploited to attack foreign embassies

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

The list of threat actors abusing a vulnerability in WinRAR that was first discovered last spring is continuing to grow, with the latest addition being APT29, a Russian state-sponsored threat actor also known as Cozy Bear or NOBELIUM.

This is according to the Ukrainian National Security and Defense Council (NDSC), which claims that it observed APT29 targeting government agencies with phishing emails that exploited CVE-2023-38831, BleepingComputer reports.

CVE-2023-38831 is a vulnerability in the popular archiving program, WinRAR, that was discovered in April this year. It allows hackers to create .RAR and .ZIP archives that can execute malicious code in the background, while the victim is busy reading the diversion files shared in the archive. The malware being dropped is mostly infostealers, grabbing passwords stored in browsers, classified documents, system information, and more.


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Using Ngrok, too

In this instance, the attackers were targeting government organizations in Azerbaijan, Greece, Romania, and Italy, with fake BMW sales. Employees would get an email pretending to offer a diplomatic BMW car in good shape, and while they were busy reviewing the photos of the vehicle, the malware would install in the background.

The vulnerability affects WinRAR versions older than 6.23. The company that builds the product, RAR Labs, released a patch a few months ago, which all users are advised to install. 

This attack is also unique because the attackers came up with a new way to communicate with the C2 server. AS per NDSC, Cozy Bear used a Ngrok free static domain to access the C2 server hosted on their Ngrok instance.

“In this nefarious tactic, they utilize Ngrok's services by utilizing free static domains provided by Ngrok, typically in the form of a subdomain under "ngrok-free.app." These subdomains act as discrete and inconspicuous rendezvous points for their malicious payloads,” the organization said.

Last summer, besides Russian hackers, researchers also spotted the Chinese abusing the WinRAR flaw as well.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
59 organizations reportedly victim to breaches caused by Cleo software bug
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Russian criminal gang Star Blizzard found hitting WhatsApp accounts
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
Russia
Major Russian hacking group shifts focus to US and UK targets
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC