In the aftermath of the disclosure of vulnerabilities within WinRAR, a concerning trend has emerged wherein multiple advanced persistent threat (APT) groups and malicious actors have leveraged these weaknesses to launch targeted attacks on critical sectors spanning various nations. This presentation delves into the exploitation of a specific WinRAR vulnerability, CVE-2023-38831, offering insights into the vulnerability and the tactics employed by threat actors who disseminate malicious ZIP archives through phishing campaigns.

Focusing on a notable case study involving the SideCopy APT, this talk explores the intricacies of how WinRAR is weaponized to compromise the security of entities in India. The examination includes a deep dive into six different clusters of this APT, a detailed dissection of payloads, strategically deployed in a sophisticated multi-platform attack campaign featuring diverse decoys and a consistent naming convention throughout 2024. Furthermore, this presentation sheds light on the discovery of the infrastructure utilized by SideCopy APT, revealing insights into the group’s modus operandi. Specifically focusing on compromised domains with shared IPs used across multiple campaigns throughout the year; targeting of government, maritime and even education sectors, and tons of correlation like shared code & infra with the parent APT group Transparent Tribe (APT36) and Operation RusticWeb.