{
	"id": "bedbeb7c-f4df-43b8-8437-8dfc097422f0",
	"created_at": "2026-04-06T00:07:38.443901Z",
	"updated_at": "2026-04-10T03:37:50.76851Z",
	"deleted_at": null,
	"sha1_hash": "57d559fc95fefdb0ae60d76ca0095e9332715e29",
	"title": "Russian researchers say espionage operation using WinRAR bug is linked to Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81461,
	"plain_text": "Russian researchers say espionage operation using WinRAR bug is\r\nlinked to Ukraine\r\nBy Daryna Antoniuk\r\nPublished: 2024-03-28 · Archived: 2026-04-05 17:02:10 UTC\r\nRussian security researchers said they have discovered a new cyber-espionage group with links to Ukraine that has\r\nbeen operating since at least January of this year.\r\nThey named the group PhantomCore and labeled the attackers’ previously undescribed remote access malware as\r\nPhantomRAT.\r\nDuring the attacks on unnamed Russian companies, the hackers exploited a known vulnerability in the Windows\r\nfile archiver tool WinRAR, according to the Moscow-based cybersecurity company F.A.C.C.T.\r\nIdentified as CVE-2023-38831, the bug was previously exploited by state-controlled hackers connected to Russia\r\nand China in early 2023 before being patched.\r\nThe tactics used by PhantomCore differed from previous attacks exploiting this vulnerability, according to\r\nF.A.C.C.T. For example, the hackers executed malicious code through the exploitation of a specially crafted RAR\r\narchive, instead of a ZIP file as previously observed, the researchers said.\r\nTo deliver PhantomRAT into victims’ systems, the hackers used phishing emails containing a PDF file disguised\r\nas a contract, along with an attached RAR archive protected by a password sent within the email. PDF files are a\r\ncommon lure in cyberespionage campaigns.\r\nAn executable file in the archive only launched when the PDF file was opened by a user with a WinRAR version\r\nearlier than 6.23. \r\nDuring the final stages of the attack, the vulnerable systems were infected with PhantomRAT, which is capable of\r\ndownloading files from a command and control (C2) server and uploading files from a compromised host to the\r\nhackers' controlled server, the researchers said.\r\nThe information that hackers could obtain during the campaign included the host name, user name, local IP\r\naddress, and version of the operating system. Typically, this information can help hackers conduct further attacks.\r\nDuring the analysis, the researchers also found three test samples of PhantomRAT, which, according to\r\nF.A.C.C.T., were uploaded from Ukraine.\r\n“We can state with a moderate level of confidence that the attackers conducting these attacks may be located\r\nwithin the territory of Ukraine,” researchers said.\r\nIndependent review\r\nhttps://therecord.media/russian-researchers-winrar-bug-ukraine-espionage\r\nPage 1 of 3\n\nThe attribution of PhantomCore’s campaign to Ukraine couldn’t be verified. Given that the majority of Western\r\ncyber companies left Russia when it invaded Ukraine, they have limited visibility inside Russian networks.\r\nRecorded Future News asked several companies to review F.A.C.C.T.’s research.\r\nResearchers at Check Point said they looked into the report and the vulnerability in question, and can confirm that\r\nthe malware is operational as described.\r\nAll systems running WinRAR versions earlier than 6.23 are vulnerable, Check Point said. However, the\r\nresearchers noted that the specific sample inside the archive is designed only for 64-bit systems — processing\r\npower typically found in newer Windows machines. It is possible that in other attacks, the payload could be\r\ndifferent, potentially affecting both 32-bit and 64-bit systems if desired by the attacker, Check Point said.\r\nMicrosoft’s director of threat intelligence strategy, Sherrod DeGrippo, said that the company has not previously\r\nobserved the specific activity that F.A.C.C.T. has attributed to this group.\r\nHowever, Microsoft and other companies are familiar with the widespread exploitation of CVE-2023-38831,\r\nincluding by cybercriminals and state-sponsored actors.\r\nFor example, Group-IB initially identified the vulnerability after it was abused by unknown cybercriminals\r\ntargeting traders. Google then reported on Russia-linked attackers exploiting it while targeting the energy sector\r\nusing malicious ZIP files containing a commercially available infostealer. Google also observed another Russian\r\nstate-backed group exploiting the vulnerability against users in Ukraine, DeGrippo said.\r\nDeGrippo also disputed one of F.A.C.C.T.’s assertions about how PhantomRAT is delivered.\r\n“Regarding PhantomCore’s use of RAR archives instead of ZIP files in the threat actor’s attack chain, this\r\ntechnique has been previously observed,” DeGrippo added. For example, the group Microsoft tracks as Forest\r\nBlizzard targeted organizations globally using lures in a RAR archive exploiting the CVE-2023-38831\r\nvulnerability. \r\nResearchers at Cloud Security Alliance have also observed threat actors tracked as DarkPink using RAR archive\r\nfiles.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/russian-researchers-winrar-bug-ukraine-espionage\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage\r\nhttps://therecord.media/russian-researchers-winrar-bug-ukraine-espionage\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage"
	],
	"report_names": [
		"russian-researchers-winrar-bug-ukraine-espionage"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fbe45970-1e9e-4a82-bc06-46317a248479",
			"created_at": "2026-02-03T02:00:03.45132Z",
			"updated_at": "2026-04-10T02:00:03.947304Z",
			"deleted_at": null,
			"main_name": "DarkPink",
			"aliases": [
				"Saaiwc"
			],
			"source_name": "MISPGALAXY:DarkPink",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/57d559fc95fefdb0ae60d76ca0095e9332715e29.pdf",
		"text": "https://archive.orkl.eu/57d559fc95fefdb0ae60d76ca0095e9332715e29.txt",
		"img": "https://archive.orkl.eu/57d559fc95fefdb0ae60d76ca0095e9332715e29.jpg"
	}
}