Who's Behind the Attacks?

Key Takeaways

Google's Threat Analysis Group (TAG) has identified state-sponsored hacking groups actively exploiting CVE-2023-38831, a WinRAR vulnerability patched in mid-2023.
Four groups aligned with Russia are targeting Ukrainian military and civilian systems, while Chinese actors are deploying remote access trojans.
The vulnerability is also being exploited by cybercriminals in campaigns spanning Brazil, Indonesia, and Latin America.

Here's the thing about legacy software: it doesn't just fade away quietly. Google's Threat Analysis Group has revealed that a critical WinRAR vulnerability is being actively weaponized by state-level actors from Russia and China, despite a patch being available since August 2023. The revelation underscores a persistent problem for enterprise IT teams—patched vulnerabilities remain dangerous as long as outdated software versions stay in production.

The vulnerability in question, CVE-2023-38831, allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. What makes this particularly concerning isn't just the technical exploit itself, but the breadth and sophistication of groups leveraging it.

Who's Behind the Attacks?

According to Google's research, multiple distinct hacker groups are actively exploiting this flaw. Several of these groups appear aligned with Russian interests, focusing their efforts on Ukrainian military and civilian infrastructure—a continuation of cyber operations that have paralleled the ongoing physical conflict. Another group, operating from China, is using the vulnerability to deliver remote access trojans that can provide persistent backdoor access to compromised systems.

But state actors aren't the only ones taking advantage. The vulnerability has attracted cybercriminals pursuing more conventional financial objectives across Brazil, broader Latin America, and Indonesia. The attack surface is global, and motivations vary widely.

A Thriving Black Market

Perhaps most alarming is the rapid commercialization of exploit tools. Malware developers are advertising attack packages on underground markets that incorporate this specific flaw. These packages often include exploits for Windows, Microsoft Office, VPN solutions, and antivirus programs.

The availability of these tools indicates a high expected return on investment for attackers. Organizations with valuable intellectual property, financial data, or strategic intelligence make attractive targets for well-funded attackers willing to invest in reliable exploit toolkits.

The Patching Gap Problem

The vulnerability was discovered and patched in 2023. So why is it still a topic of concern? Because patching theoretical vulnerabilities and securing actual enterprise environments are two very different challenges.

Many organizations maintain WinRAR installations that haven't been updated in years. Some systems may be air-gapped or require extensive testing before updates can be deployed. Others simply fall through the cracks of patch management processes that prioritize operating system and critical application updates over utility software.

For threat actors, this creates a persistent opportunity. They know that even well-publicized, long-patched vulnerabilities remain exploitable across significant portions of the global software install base.

What This Means for IT Security Teams

Google's research team is sharing threat detection data that can help identify known exploit attempts. That's helpful, but reactive. The fundamental issue is one of software inventory and lifecycle management—do you actually know which versions of WinRAR (or any other utility software) are running across your environment?

The good news, if there is any, is that WinRAR has become less essential over time. Windows now natively handles ZIP, 7-Zip, and even RAR files without third-party software. For many organizations, the simplest mitigation might be removing WinRAR entirely rather than maintaining another software package that requires ongoing security attention.

That said, some workflows and legacy processes may still depend on specific WinRAR functionality. For those use cases, immediate updates are non-negotiable. The exploit is known, actively used, and available to threat actors.

The Broader Pattern

This incident fits a familiar pattern in enterprise security. Utility software—the background tools that users barely notice—often receives less attention than high-profile applications. Yet these utilities often have extensive system access and can serve as effective vectors for sophisticated attacks. How many other "faded into the background" applications in your environment are running outdated, vulnerable versions?

The involvement of multiple state-sponsored groups and the development of commercial exploit packages suggests this vulnerability has been thoroughly analyzed and weaponized. Organizations still running vulnerable versions aren't facing theoretical risk—they're exposed to active, ongoing campaigns with both espionage and financial motivations. For enterprise IT and security teams, the message is clear: software that seems trivial can create significant exposure, and patch lag provides attackers with extended windows of opportunity.

Who's Behind the Attacks?

Key Takeaways

Who's Behind the Attacks?

A Thriving Black Market

The Patching Gap Problem

What This Means for IT Security Teams

The Broader Pattern

Share this article

Related Articles

Unnamed Organization Reports Sharp Rise in Ransomware Activity Through IT-ISAC Partnership

DIAN Investigates Suspected Breach After Reports of Exposed Taxpayer Data

FBI says its investigating claims its systems were compromised - wire taps and search warrants apparently hijacked