The user opened a JPG they could see in the archive. A RAT installed behind it.

Security awareness training tells users to be careful what they open. Don’t run unexpected executables, don’t enable macros, be suspicious of weird file types. CVE-2023-38831 sails straight past all of it, because the file the user opens is exactly what it appears to be: an ordinary image or text file, visible in the archive, that opens correctly when double-clicked. The catch is that a malicious script runs at the same time, in the background, and a remote access trojan lands on the machine. The user did nothing wrong by the rules they were taught. That’s what makes this bug worth understanding beyond “patch WinRAR.”

What the bug is

CVE-2023-38831 is a file-handling spoofing flaw (CWE-345/351) in WinRAR before version 6.23, CVSS 7.8. The trick is structural: an attacker crafts a ZIP or RAR archive that contains a benign file, say photo.jpg, and also a folder named identically, photo.jpg, holding a malicious script. When the user double-clicks the benign-looking file in WinRAR, a quirk in how WinRAR handled the temporary extraction caused the script inside the same-named folder to execute instead of, or alongside, opening the decoy. The decoy opens too, completing the illusion that nothing happened. RARLAB fixed it in WinRAR 6.23 on August 2, 2023, and CISA added it to the Known Exploited Vulnerabilities catalog on August 24, with the ransomware flag.

Group-IB discovered it in July 2023 while tracking DarkMe malware, and found it had been exploited since at least April. The first campaign was financially motivated and precisely aimed: crafted archives posted in online forums for stock and cryptocurrency traders, delivering DarkMe, GuLoader, and Remcos RAT to drain trading accounts. Group-IB found over a hundred traders’ devices still infected at the time of disclosure. Then the state-sponsored crews moved in. Google’s threat researchers and others documented exploitation by Russia’s Sandworm and APT28, China’s APT40, and North Korea’s Konni, among others. A logic bug in a file archiver became, briefly, shared tooling across criminal and nation-state operations.

Why this one resists the usual answers

Two things make CVE-2023-38831 a harder problem than its 7.8 score suggests, and both are about the gap between how security is supposed to work and how it actually fails.

The first is that you cannot train your way out of it. The entire awareness model rests on the user being able to distinguish safe actions from dangerous ones. This bug erases the distinction: the dangerous action and the safe action are the same double-click, on a file that genuinely is the image it claims to be. “Don’t open suspicious files” is useless advice when the file isn’t suspicious and opens normally. Blaming the user here is not just unkind, it’s analytically wrong, because there was no observable signal for them to act on.

The second is distribution. WinRAR is installed on a staggering number of machines and has historically had no automatic update mechanism. The user has to notice a new version exists and manually download and install it. So even after RARLAB shipped 6.23, the patched version propagated slowly, leaving a huge population of vulnerable installs for months, which is exactly the window the APTs exploited. A patch that doesn’t auto-deploy is a patch most users will never apply, and a vendor shipping security-critical software without auto-update in 2023 is making a choice that guarantees a long vulnerable tail.

What to do

• Push WinRAR to 6.23 or later through your management tooling, don’t rely on users. Since WinRAR won’t update itself, your endpoint management, software-deployment, or patch tooling has to do it. Inventory where WinRAR is installed first; it’s often present on machines nobody remembers installing it on.
• Consider whether you need standalone WinRAR at all. Modern Windows handles ZIP natively, and reducing the number of third-party archivers without auto-update shrinks this category of risk. Where a tool is genuinely needed, prefer one that updates itself.
• Treat archives from untrusted sources as executable content. An archive can carry an exploit like this regardless of what its contents appear to be. Gateway scanning, detonation in a sandbox, and blocking archives from untrusted external sources all help where patching lags.
• Hunt for the exploitation pattern. Splunk and others published detections; look for WinRAR (or its temp-extraction process) spawning script interpreters and unexpected child processes, and for the malware families used (DarkMe, Remcos, GuLoader).
• Reframe the user guidance honestly. Instead of “don’t open suspicious files,” which this defeats, the durable message is “be cautious with archives from sources you don’t fully trust, even when the files inside look normal,” paired with the technical controls that don’t depend on the user catching it.

The reframe worth keeping is about where to place the defense. When a bug weaponizes the user’s correct behavior, the answer is not more training; it’s removing the user from the critical path. Patch through tooling so the fix arrives without anyone deciding to install it, scan archives before they reach the desktop, and stop treating “the user opened it” as the failure when the software gave them no way to know. CVE-2023-38831 is the clean case: the people who opened those archives weren’t careless, they were using a file the way files are meant to be used, and the defense had to live somewhere other than their judgment. We flag the bugs that turn ordinary actions into compromise, because those are the ones awareness training can’t reach.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-38831 — 2023-08-23
• RARLAB WinRAR 6.23 release notes — 2023-08-02
• Group-IB: CVE-2023-38831 WinRAR zero-day exploited against traders — 2023-08-23
• Help Net Security: State-sponsored APTs are leveraging the WinRAR bug — 2023-10-18
• Splunk: WinRAR spoofing attack CVE-2023-38831 detections — 2023