InfoSecBulletin Cybersecurity for mankind
Traders are falling victim to cybercriminals who are leveraging a zero-day vulnerability in WinRAR, the long-standing shareware archiving tool for Windows, in order to pilfer funds.
In June, the cybersecurity company Group-IB made a remarkable discovery – a vulnerability that impacts how WinRAR handles the ZIP file format. Hackers are able to exploit a zero-day flaw, which means the vendor has no time to fix it before it is exploited. This flaw enables them to conceal harmful scripts within archive files disguised as .jpg images or .txt files. Consequently, they can easily compromise their target machines.
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
F5 to acquire CalypsoAI for $180M for Advanced AI Security Capabilities
AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Attacks
CVE-2025-21043
Samsung Patched Critical Zero-Day Flaw Exploited in Android Attacks
Albania appoints world’s first AI minister, “Diella” to Tackle Corruption
ALSO READ:
Kali Linux 2023.3 released: redesign NetHunter ,9 new tools, and more!
According to Group-IB, hackers have been taking advantage of this vulnerability since April in order to disseminate harmful ZIP archives on exclusive trading forums. Group-IB told malicious ZIP archives were posted on at least eight public forums. These forums discuss various topics related to trading, investment, and cryptocurrency. Group-IB declined to name the targeted forums.
The administrators of one of the targeted forums detected the presence of malicious files being shared and promptly issued a warning to their users. In addition to blocking the accounts used by the attackers, the forum also implemented measures to prevent their activities. However, Group-IB discovered evidence indicating that the hackers possessed the ability to bypass the account restrictions imposed by forum administrators. Consequently, they continued distributing malicious files by posting them in threads or sending them via private messages.
Hackers can gain access to brokerage accounts by tricking users into opening malware-infected files. This allows them to perform illegal financial transactions and withdraw funds. At the moment, the cybersecurity company informs that around 130 traders have infected devices. However, they mention that they do not have any information regarding financial losses at this point.
One victim told Group-IB researchers that the hackers attempted to withdraw their money, but were unsuccessful.
The mastermind behind the exploitation of the WinRAR zero-day remains a mystery. Group-IB, however, reported that it has detected the hackers utilizing DarkMe, a Visual Basic trojan associated with the notorious “Evilnum” threat group.
Evilnum, also referred to as “TA4563,” is a highly motivated threat group focused on financial gain, demonstrating significant activity within the United Kingdom. There has been evidence of this happening in Europe since at least 2018. The group has gained recognition for primarily focusing on financial organizations and online trading platforms. Group-IB stated that although they have identified the DarkMe trojan, they cannot definitively establish a direct connection between the detected campaign and this financially motivated group.
According to Group-IB, they have successfully reported the vulnerability, known as CVE-2023-38831, to Rarlab, the creators of WinRAR. On August 2nd, a new and improved WinRAR version (6.23) was released to fix the issue.
