CVE-2023-38831 Explained: WinRAR Remote Code Execution via Crafted Archive
A code execution vulnerability in WinRAR where a ZIP archive appearing to contain a harmless document instead executes a hidden script when the user double-clicks the displayed file. Weaponised by Russian APT28 and North Korean APT40 for spear-phishing campaigns.
CVE-2023-38831 is a code execution vulnerability in WinRAR — the archive utility with over 500 million users worldwide — that allows an attacker to execute code on a victim's system when the victim double-clicks an apparently innocent file inside a crafted ZIP archive. The archive displays a legitimate-looking document name; WinRAR executes a hidden script instead. No macros, no exploit chains — just a user performing a normal action with a malicious file.
Group-IB discovered the vulnerability had been exploited as a zero-day since at least April 2023 — four months before RARLAB released the patch in August 2023. Russian APT28 and North Korean APT40 both used CVE-2023-38831 in targeted spear-phishing campaigns, selecting victims in financial services and government sectors. Google TAG confirmed independent exploitation by multiple state-sponsored actors.
How CVE-2023-38831 Works: The Archive Trick Explained
ZIP archives can contain both files and folders at the same path prefix. CVE-2023-38831 exploits a flaw in how WinRAR renders and handles the contents of a ZIP archive when a user double-clicks a displayed entry.
The attacker creates a ZIP archive with two items sharing the same base name: 1. An innocent-looking file: `trading_strategy.pdf` 2. A folder named: `trading_strategy.pdf ` (with a trailing space) containing a script: `trading_strategy.pdf .bat` or `.cmd`
When the archive is opened in vulnerable WinRAR, the interface displays only the apparent PDF. When the user double-clicks it, WinRAR's file handling logic navigates into the folder bearing the same name and executes the script found inside — not the displayed PDF. The user sees nothing unusual. A command prompt may flash briefly, but the script has already run.
The key flaw is that WinRAR resolves the file path via the folder with the matching name rather than executing the displayed file, due to inconsistency between how the archive listing is rendered and how double-click is handled. The result is that user intent (open a PDF) is silently replaced by attacker intent (execute a script).
Craft malicious ZIP archive
Create a ZIP containing a benign-looking filename (e.g., 'market_report.pdf') and a folder with the same name plus whitespace or special characters, containing a .bat, .cmd, or .exe script with the same base name. The script contains the attacker's payload.
Deliver via email, forum, or file share
Attach the archive to a spear-phishing email with subject and context relevant to the target's interests. APT28 targeted traders with archives purporting to contain market data. APT40 targeted officials with policy documents. The archive appears benign to email gateways.
Victim opens archive in WinRAR
Victim saves and opens the archive in WinRAR. The interface displays the innocent-looking filename. Nothing appears suspicious — the victim sees what they expect.
Victim double-clicks the displayed file
Victim double-clicks the displayed document filename, expecting to open a PDF or image. WinRAR resolves the path through the same-named folder and executes the script instead.
Payload executes with victim's privileges
The script runs under the victim's Windows session with their user privileges. Payloads observed in APT28 campaigns included downloaders for remote access trojans and credential stealers. APT40 deployed malware for intelligence collection and lateral movement.
Nation-State Exploitation Campaigns
Group-IB identified CVE-2023-38831 exploitation beginning in April 2023 — making it a four-month zero-day before the patch. The initial campaigns targeted cryptocurrency traders and financial professionals, delivering WinRAR archives that appeared to contain trading strategies, investment analyses, and market data.
Google TAG subsequently confirmed exploitation by multiple state-sponsored actors. APT28 (Fancy Bear, GRU Unit 26165) was confirmed using CVE-2023-38831 in campaigns targeting European financial institutions and energy sector entities. APT40 (North Korean group also tracked as TA423) used the vulnerability in campaigns targeting government officials and think tank researchers in the Asia-Pacific region.
The attack pattern — crafted archive delivered by email, displaying an innocent filename — is effective because it bypasses most email gateway detections (the archive is genuinely a ZIP file containing a real PDF), exploits user trust in a familiar workflow (double-click to open a file), and requires no macros, no Office document interaction, and no UAC prompt for initial execution.
“We discovered that CVE-2023-38831 was actively exploited as a 0-day vulnerability by cybercriminal groups targeting financial traders. Malicious actors managed to exploit a recently discovered vulnerability in WinRAR and used it to attack at least 130 traders.”
— Group-IB, August 2023
Patching and Detecting CVE-2023-38831
The fix is simple: upgrade WinRAR. Detection focuses on identifying unpatched installations and reviewing endpoint logs for suspicious archive-related process activity.
Upgrade WinRAR to 6.23 or later on all systems
WinRAR does not auto-update. Download the installer from rarlab.com and deploy across all managed endpoints. Use software inventory to identify all WinRAR installations and their versions. Any version below 6.23 is vulnerable.
Consider replacing WinRAR with 7-Zip for enterprise use
7-Zip is free, open-source, and not affected by CVE-2023-38831. For organisations standardising archive tools, 7-Zip is a comparable replacement that reduces the risk of future WinRAR-specific vulnerabilities.
Configure email gateways to inspect ZIP contents
Enable recursive archive scanning on email gateways. Look for ZIPs containing both a file and a same-named folder — this structural pattern is unusual in legitimate archives and is the fingerprint of a CVE-2023-38831 exploit archive.
Review endpoint telemetry for suspicious child processes of WinRAR
If WinRAR spawns a cmd.exe, powershell.exe, or wscript.exe process — or a process that then executes a batch script — this is anomalous. Normal WinRAR usage opens documents in their registered viewer, not scripting engines. EDR rules detecting WinRAR spawning script interpreters are an effective detection mechanism.
The bottom line
CVE-2023-38831 is a demonstration that high-impact vulnerabilities do not need to be technically sophisticated. The exploit is a file structure trick — a ZIP that shows one thing and does another. What makes it effective is not the technical cleverness but the social engineering: users trust the files they see in their archive viewer, particularly when the filename matches their expectations.
State-sponsored actors chose CVE-2023-38831 for targeted campaigns precisely because it bypasses technical defences and exploits human behaviour. It cleared email gateways, it looked legitimate to the victim, and it required no special permissions to execute. For any organisation whose users handle email attachments containing ZIP files — which is effectively every organisation — ensuring WinRAR is patched to 6.23 or later is a straightforward and necessary control.
Frequently asked questions
What is CVE-2023-38831?
CVE-2023-38831 is a code execution vulnerability in WinRAR. An attacker constructs a ZIP archive containing a file with an innocent-looking name (such as 'report.pdf') and a folder with the same name. When a WinRAR user double-clicks the displayed 'report.pdf' inside the archive, WinRAR actually executes a script found inside the same-named folder. This triggers code execution without any additional user interaction beyond opening a normal-looking file.
How was CVE-2023-38831 exploited in the wild?
Group-IB discovered the vulnerability had been exploited as a zero-day since April 2023 — four months before the August patch. APT28 (Russian Fancy Bear) targeted financial traders, delivering archives purporting to contain trading strategies or market data. APT40 (North Korean group) targeted government officials with archives appearing to contain policy documents. In both cases, the victim saw a harmless-looking file, double-clicked it, and executed attacker code.
Is CVE-2023-38831 still relevant?
Yes for organisations with unpatched WinRAR installations. WinRAR is not auto-updated by default, and many users run older versions for years. Any installation prior to 6.23 remains vulnerable. Additionally, archives crafted to exploit CVE-2023-38831 may still circulate in email systems and file shares — the malicious archives don't expire.
Does 7-Zip, WinZip, or the Windows built-in ZIP handler have this vulnerability?
No. CVE-2023-38831 is specific to WinRAR's file handling logic. 7-Zip, WinZip, the Windows Explorer ZIP handler, and other archive tools are not affected by this specific vulnerability. However, users who receive CVE-2023-38831 archives using 7-Zip or another tool would see the archive structure differently and would not trigger the malicious code path.
How do I patch CVE-2023-38831?
Upgrade WinRAR to version 6.23 or later. WinRAR is not auto-updated — users must download the installer from rarlab.com and run it manually. To verify your current version: open WinRAR > Help > About WinRAR. Consider deploying the update centrally via software management tools to ensure consistent patching across your estate.
Sources & references
- NVD
- Group-IB — CVE-2023-38831 WinRAR 0-Day
- Google TAG — State-sponsored actors exploit WinRAR vulnerability
- CISA Known Exploited Vulnerabilities Catalog
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.