Monday , July 13 2026

WinRAR zero-day exploited since April to hack trading accounts

Traders are falling victim to cybercriminals who are leveraging a zero-day vulnerability in WinRAR, the long-standing shareware archiving tool for Windows, in order to pilfer funds.

In June, the cybersecurity company Group-IB made a remarkable discovery – a vulnerability that impacts how WinRAR handles the ZIP file format. Hackers are able to exploit a zero-day flaw, which means the vendor has no time to fix it before it is exploited. This flaw enables them to conceal harmful scripts within archive files disguised as .jpg images or .txt files. Consequently, they can easily compromise their target machines.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

ALSO READ:

Kali Linux 2023.3 released: redesign NetHunter ,9 new tools, and more!

According to Group-IB, hackers have been taking advantage of this vulnerability since April in order to disseminate harmful ZIP archives on exclusive trading forums. Group-IB told malicious ZIP archives were posted on at least eight public forums. These forums discuss various topics related to trading, investment, and cryptocurrency. Group-IB declined to name the targeted forums.

The administrators of one of the targeted forums detected the presence of malicious files being shared and promptly issued a warning to their users. In addition to blocking the accounts used by the attackers, the forum also implemented measures to prevent their activities. However, Group-IB discovered evidence indicating that the hackers possessed the ability to bypass the account restrictions imposed by forum administrators. Consequently, they continued distributing malicious files by posting them in threads or sending them via private messages.

Hackers can gain access to brokerage accounts by tricking users into opening malware-infected files. This allows them to perform illegal financial transactions and withdraw funds. At the moment, the cybersecurity company informs that around 130 traders have infected devices. However, they mention that they do not have any information regarding financial losses at this point.
One victim told Group-IB researchers that the hackers attempted to withdraw their money, but were unsuccessful.

The mastermind behind the exploitation of the WinRAR zero-day remains a mystery. Group-IB, however, reported that it has detected the hackers utilizing DarkMe, a Visual Basic trojan associated with the notorious “Evilnum” threat group.

Evilnum, also referred to as “TA4563,” is a highly motivated threat group focused on financial gain, demonstrating significant activity within the United Kingdom. There has been evidence of this happening in Europe since at least 2018. The group has gained recognition for primarily focusing on financial organizations and online trading platforms. Group-IB stated that although they have identified the DarkMe trojan, they cannot definitively establish a direct connection between the detected campaign and this financially motivated group.

According to Group-IB, they have successfully reported the vulnerability, known as CVE-2023-38831, to Rarlab, the creators of WinRAR. On August 2nd, a new and improved WinRAR version (6.23) was released to fix the issue.

Check Also

5

TP-Link alerts users to patch router auth bypass vulnerability

TP-Link fixed some security flaws in its Archer NX routers. CVE-2025-15517 is a security flaw …