You are currently viewing Archive Terror: Dissecting the WinRAR CVE-2025-6218 Exploit & APT-C-08’s Stealth Move

Archive Terror: Dissecting the WinRAR CVE-2025-6218 Exploit & APT-C-08’s Stealth Move

  • Post author:
  • Reading time:5 mins read

Executive Summary

A targeted cyber-espionage campaign attributed to the threat group APT-C-08 is actively exploiting a high severity directory traversal vulnerability, CVE-2025-6218, in older versions of WinRAR. The campaign focuses on government organizations in South Asia, using phishing emails with malicious RAR archives to gain initial access. The vulnerability allows attackers to drop malicious files into sensitive system folders, leading to remote code execution and establishing persistence on the victim’s machine. Organizations are urged to update WinRAR immediately, enhance email security protocols, and provide user training on identifying phishing threats to defend against this campaign.

Background on the Campaign

This campaign is characteristic of the ongoing cyber-espionage activities conducted by APT-C-08 (also known as Bitter), a suspected South Asian threat group active since at least 2013. The group has a history of targeting government, energy, and military sectors, with a primary focus on long-term intelligence gathering. Their consistent methodology involves using spear-phishing emails with lures relevant to their targets’ geopolitical interests to deliver malware.

The exploitation of CVE-2025-6218 marks a significant evolution in APT-C-08’s tactics, demonstrating their ability to quickly weaponize publicly known vulnerabilities. The group leverages the widespread use of WinRAR and the common failure of users to apply updates, creating a large attack surface. This campaign’s objective is to establish a persistent foothold within strategic government networks to exfiltrate sensitive data over the long term.

Vulnerability Details

  • CVE-ID: CVE-2025-6218
  • CVSS Score: 7.8
  • EPSS Score: 0.60
  • Vulnerability Type: Path Traversal
  • Affected Software: WinRAR versions 7.11 and earlier
  • Patched in: WinRAR version 7.12 and later
  • Root Cause: The vulnerability is a flaw in how WinRAR processes file paths within a specially crafted archive file. It fails to properly sanitize directory traversal sequences, allowing a malicious file to be written to an arbitrary location on the filesystem outside of the intended extraction folder.

Infection Method

The attack follows a clear sequence of events:

  1. Initial Access: The attacker sends a targeted spear-phishing email, often masquerading as a legitimate government entity, with a malicious RAR archive attached.
  2. Exploitation: The user is tricked into opening and extracting the contents of the RAR file. Due to the CVE-2025-6218 flaw, a malicious file (such as a script or a weaponized Word template) is secretly placed in a sensitive system directory, like the Windows Startup folder.
  3. Payload Delivery: When the user next logs in or starts an application like Microsoft Word, the malicious file in the Startup or Templates folder is automatically executed. This action typically triggers a downloader that fetches the main payload from a command-and-control server.
  4. Command and Control: The final payload, often a Remote Access Trojan (RAT), establishes a connection to an attacker-controlled server, allowing for remote command execution, data theft, and further malicious activities.

Threat Actor Behavior and Capabilities

The primary operator in this campaign, APT-C-08, is a persistent and resourceful group focused on long-term intelligence gathering. Their behavior and capabilities extend beyond a single piece of malware and include:

  • Targeted Spear-Phishing: The group specializes in crafting convincing phishing emails with lures tailored to the specific geopolitical and professional interests of their government and military targets.
  • Vulnerability Weaponization: APT-C-08 demonstrates the ability to quickly adopt and weaponize publicly disclosed vulnerabilities in widely used software, such as WinRAR, to achieve initial access.
  • Multi-Stage Payload Deployment: They employ a multi-stage infection process, often starting with a simple dropper or downloader that retrieves more sophisticated backdoors and Remote Access Trojans (RATs) from their C2 servers.
  • Custom Malware Arsenal: The group utilizes a range of custom malware families, including ZxxZ, WmRAT, and MiyaRAT, which are continuously evolved to evade detection.
  • Persistence and Stealth: A key objective is establishing a long-term, covert presence. They achieve this by placing malicious files in system startup locations and using common filenames to blend in with legitimate system activity.
  • Comprehensive Information Gathering: Once inside a network, APT-C-08 conducts reconnaissance to map the environment, exfiltrates sensitive documents, and harvests credentials to facilitate lateral movement.
  • Dynamic Command and Control (C2) Infrastructure: The group maintains a flexible C2 infrastructure, frequently rotating domains and IP addresses to complicate blocking and attribution efforts.

Techniques Used

TacticTechnique IDTechnique Name
Initial AccessT1566.001 / T1199Malicious Archive / Spearphishing via attachments
PersistenceT1137.001AutoExec Macros via Templates
PersistenceT1137Global Template Persistence

Lateral Movement		T1021.002SMB Share Mapping (net use)

Command and Control		T1071.001HTTPS Beaconing / POST

Defense Evasion		T1027.004Obfuscation: Base64 Encoded Strings in Macro

Visual: Attack Flow

[Phishing Email with Malicious .RAR] -> [User Extracts Archive & Triggers CVE-2025-6218] -> [Malicious File Dropped into Windows Startup Folder] -> [Malware Executes on Next Logon] -> [Connects to Attacker’s C2 Server] -> [Executes Commands & Steals Data]

Indicators of Compromise (IOCs)

C2 Infrastructure

  • koliwooclients[.]com
  • esanojinjasvc[.]com
  • tapeqcqoptions[.]com
  • johnfashionarchive[.]com
  • wmiapcservice[.]com

Hashes (MD5)

  • f6f2fdc38cd61d8d9e8cd35244585967
  • 4bedd8e2b66cc7d64b293493ef5b8942
  • 84128d40db28e8ee16215877d4c4b64a
  • f8b237ca925daa3db8699faa05007f12
  • f16f2e4317c37085cad630d41001f7c3
  • 418d73efd622ebec29759c081768db16
  • 5d677781d6c7d4ddee967c1cc7e869ce

Mitigation Steps

  • Patch Management: Immediately update all instances of WinRAR to version 7.12 or higher to patch the vulnerability. Since WinRAR does not auto-update, this must be done manually.
  • Email Security: Deploy advanced email filtering solutions to block malicious attachments and phishing attempts. Quarantine or block inbound RAR archives temporarily if immediate patching is not possible.
  • User Training: Educate users to recognize and report suspicious emails and to be cautious about opening unsolicited attachments, even if they appear to come from a trusted source.
  • Endpoint Security: Use Endpoint Detection and Response (EDR) tools to monitor for suspicious activities, such as files being written to Startup folders by archiving tools.
  • Network Monitoring: Monitor network traffic for connections to known malicious domains or unusual outbound data transfers.
  • Application Hardening: Use application control policies to restrict the execution of unauthorized scripts and executables from user-writable locations.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here