Government-backed actors exploiting WinRAR vulnerability

Title: Government-backed actors exploiting WinRAR vulnerability

URL Source: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

Published Time: 2023-10-18T15:00:00+00:00

Markdown Content: # Government-backed actors exploiting WinRAR vulnerability

[Skip to Main Content](https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/#jump-content)

[Updates from Threat Analysis Group (TAG)](https://blog.google/threat-analysis-group)

Government-backed actors exploiting WinRAR vulnerability

[Share](https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)

[x.com](https://twitter.com/intent/tweet?text=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability%20%40google&url=https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)[Facebook](https://www.facebook.com/sharer/sharer.php?caption=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability&u=https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)[LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/&title=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability)[Mail](mailto:?subject=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability&body=Check%20out%20this%20article%20on%20the%20Keyword:%0A%0AGovernment-backed%20actors%20exploiting%20WinRAR%20vulnerability%0A%0AGoogle's%20Threat%20Analysis%20Group%20analyzes%20recent%20state-sponsored%20campaigns%20exploiting%20the%20WinRAR%20vulnerability,%20CVE-2023-38831.%0A%0Ahttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)

Copy link

["How is Gemini changing Maps?", "What is \"vibe design?\"", "How can I learn new AI skills?"]

Search freely using keywords, or by asking a question

Suggested searches

* [How is Gemini changing Maps?](https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/#) * [What is "vibe design?"](https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/#) * [How can I learn new AI skills?](https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/#)

[Threat Analysis Group](https://blog.google/threat-analysis-group/)

# Government-backed actors exploiting WinRAR vulnerability

Oct 18, 2023

· 8 min read

[Share](https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)

[x.com](https://twitter.com/intent/tweet?text=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability%20%40google&url=https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)[Facebook](https://www.facebook.com/sharer/sharer.php?caption=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability&u=https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/)[LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/&title=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability)[Mail](mailto:?subject=Government-backed%20actors%20exploiting%20WinRAR%20vulnerability&body=Check%20out%20this%20article%20on%20the%20Keyword:%0A%0AGovernment-backed%20actors%20exploiting%20WinRAR%20vulnerability%0A%0AGoogle's%20Thr […]

[… 9,600 Zeichen — nächste Zone: keyword-dense paragraphs …]

In recent weeks, Google’s Threat Analysis Group’s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows. Cybercrime groups began exploiting the vulnerability in early 2023, when the bug was still unknown to defenders. A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.

As detailed in a [blog post](https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/) from Group-IB, the vulnerability had been exploited as 0-day by cybercrime actors in-the-wild since at least April 2023 for campaigns targeting financial traders to deliver various commodity malware families. Hours after the blog post was released, proof of concepts and exploit generators were uploaded to [public GitHub repositories](https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc). Shortly after that, TAG began to observe testing activity from both financially motivated and APT actors experimenting with CVE-2023-38831.

The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available. Even the most sophisticated attackers will only do what is necessary to accomplish their goals. These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date. TAG will continue to compile and share threat intelligence for the protection of online users and Google products, in the meantime, we encourage organizations and users to keep their software fully up-to-date.

On September 4th, CERT-UA [posted](https://cert.gov.ua/article/5702579) about FROZENLAKE (aka APT28), a group attributed to Russian GRU, using CVE-2023-38831 to deliver malware targeting energy infrastructure. TAG observed that FROZENLAKE used a free hosting provider to serve CVE-2023-38831 to target users in Ukraine. The initial page redirected users to a mockbin site to perform browser checks and redirect to the next stage, which would ensure the visitor was coming from an IPv4 address in Ukraine and would prompt the user to download a file containing a […]

[… 9,145 Zeichen — nächste Zone: tail …]

[Threat Analysis Group #### TAG Bulletin: Q2 2025 Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2025. By Billy Leonard](https://blog.google/threat-analysis-group/tag-bulletin-q2-2025/)

[Threat Analysis Group #### TAG Bulletin: Q1 2025 This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2025. It was last updated on May 15, 2025.JanuaryWe terminated 12 YouT… By Billy Leonard May 15, 2025](https://blog.google/threat-analysis-group/tag-bulletin-q1-2025/)

[Threat Analysis Group #### TAG Bulletin: Q4 2024 This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2024. It was last updated on February 19, 2024.OctoberWe terminated 11… By Billy Leonard Dec 17, 2024](https://blog.google/threat-analysis-group/tag-bulletin-q4-2024/)

[Threat Analysis Group #### TAG Bulletin: Q3 2024 This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on January 14, 2025.JulyWe terminated 89 You… By Billy Leonard Sep 12, 2024](https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/)

.

Jump to position 1 Jump to position 2 Jump to position 3 Jump to position 4 Jump to position 5 Jump to position 6

Survey

Help us improve The Keyword with a one-question survey

Yes No

This survey is anonymous. All responses will be aggregated and used only for analysis to improve our services.

Did this article provide the level of detail you were looking for?

Yes, I got what I needed No, I wanted more technical depth No, I wanted a simpler overview I was looking for something else entirely

✅ Thank you!

[](https://www.google.com/)

* [Privacy](https://policies.google.com/privacy) * [Terms](https://policies.google.com/terms) * [About Google](https://about.google/) * [Google Products](https://about.google/products/)

* [Help](https://support.google.com/) *