Newly Emerging APT Threat Exploiting WinRAR Flaw

Nov 16, 2023NewsroomAdvanced Persistent Threat / Zero-Day

WinRAR Flaw

A hacking group using a newly disclosed security flaw in the WinRAR software as a zero-day has now been categorized as a new advanced persistent threat (APT).

Described by Cybersecurity company NSFOCUS DarkCasino as an “economically motivated” actor that first appeared in 2021.

“DarkCasino is an APT threat actor with strong technical and learning abilities, who is good at integrating various popular APT attack technologies into its attack process, ” the company SAYS in an analysis.

“The attacks launched by the APT group DarkCasino are very frequent, showing a strong desire to steal online property.”

DarkCasino was most recently implicated in the zero-day exploitation of CVE-2023-38831 (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads.


In August 2023, Group-IB disclosed real-world attacks that weaponized the vulnerability targeting online trading forums at least since April 2023 to deliver a final payload named DarkMe, which is a Visual Basic trojan dedicated to DarkCasino.

The malware is equipped to collect host information, take screenshots, manipulate files and Windows Registry, execute arbitrary commands, and update itself on the compromised host.

While DarkCasino was previously classified as a phishing campaign orchestrated by the EvilNum group targeting European and Asian online gambling, cryptocurrency, and credit platforms, NSFOCUS said continued tracking of the activities of adversary allows it to prevent any potential connection with known threat actors.

WinRAR Flaw

The exact origin of the threat actor is currently unknown.

“In the early days, DarkCasino mainly operates in countries around the Mediterranean and other Asian countries that use online financial services,” it said.

“Recently, with the change in phishing methods, its attacks have reached users of cryptocurrencies around the world, even including non-English speaking countries in Asia such as South Korea and Vietnam.”


Several threat actors have joined the CVE-2023-38831 exploitation bandwagon in recent months, including APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm.

Ghostwriter attack chains using the flaws have been observed to pave the way for PicassoLoader, an intermediate malware that acts as a loader for other payloads.

“The WinRAR vulnerability CVE-2023-38831 carried by the APT group DarkCasino brings uncertainty to the state of APT attacks in the second half of 2023,” NSFOCUS said.

“Many APT groups are taking advantage of the window period of this vulnerability to attack critical targets such as governments, hoping to bypass the targets’ defense systems and achieve their goals.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment