Cybersecurity researchers have recently uncovered a new wave of attacks by APT-C-08, also known as BITTER, leveraging the WinRAR directory traversal vulnerability (CVE-2025-6218).
The South Asian state-linked threat group, known for espionage campaigns targeting government, defense, and academic institutions, has adopted this newly disclosed flaw to distribute malicious payloads through booby-trapped archive files.
The WinRAR vulnerability, present in version 7.11 and earlier, allows attackers to bypass normal directory boundaries during file extraction.
By manipulating file paths containing memorable sequences such as “/.. /.. /AppData/Roaming/Microsoft/Templates/Normal.dotm” (note the intentional space), adversaries can force the extraction of files into protected directories on a victim’s system.
WinRAR mishandles spaces in path validation, enabling this traversal and unauthorized file placement.
Malicious Template Chain Delivers Remote Access Payloads
In one captured case, the attackers distributed a compressed file named “Provision of Information for Sectoral for AJK.rar.” When extracted, it surreptitiously planted a malicious Microsoft Word template, Normal.dotm, into the Templates directory under AppData/Roaming/Microsoft.
This macro-enabled file then executed commands whenever Word documents were launched, effectively gaining execution privileges without direct user interaction.
The embedded macro used Windows network commands to map a remote directory and download winnsc.exe, a lightweight downloader that collects system metadata, hostname, username, and OS version, and exfiltrates it via POST requests to the command-and-control server teamlogin.esanojinjasvc[.]com.
Based on returned instructions, the malware fetched additional stage payloads, including a C#-based Trojan previously linked to the same threat actor.
A second variant, “Weekly AI Article.rar,” followed an identical attack pattern, dropping another Normal.dotm that executed remote command-line instructions retrieved from tapeqcqoptions[.]com/d6Z2.php.
Both incidents highlight the group’s technical agility in chaining simple vulnerabilities with multi-stage infection methods to ensure persistence and data theft.
Expanding Tactical Arsenal
APT-C-08’s consistent adaptation of public exploits demonstrates its continued operational refinement and intelligence-gathering objectives.
Analysts note that the low complexity yet high impact of CVE-2025-6218 makes it an attractive choice for espionage operations, particularly against organizations that are slow to update their WinRAR installations.
Security teams are urged to upgrade WinRAR beyond version 7.11, restrict macro execution in templates, and treat unverified archives and email attachments as high risk.
The campaign underscores how routine software tools, when left unpatched, can become critical entry points for state-backed threat actors.
Indicators of Compromise (IOCs):
MD5: f6f2fdc38cd61d8d9e8cd35244585967, 4bedd8e2b66cc7d64b293493ef5b8942, 84128d40db28e8ee16215877d4c4b64a
C2 Domains: koliwooclients[.]com, teamlogin.esanojinjasvc[.]com, tapeqcqoptions[.]com
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
