{ "id": "e6d6fa68-38e6-44f4-a2b5-cdd9dfd45090", "created_at": "2026-04-06T00:20:11.725864Z", "updated_at": "2026-04-10T03:37:23.76216Z", "deleted_at": null, "sha1_hash": "7318d1672ad4700aba7143e33fe106b6dc9d40f7", "title": "The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2729661, "plain_text": "The New APT Group DarkCasino and the Global Surge in\r\nWinRAR 0-Day Exploits - NSFOCUS, Inc., a global network and\r\ncyber security leader, protects enterprises and carriers from\r\nadvanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2023-11-10 · Archived: 2026-04-02 11:01:35 UTC\r\nOverview\r\nIn 2022, NSFOCUS Research Labs revealed a large-scale APT attack campaign called DarkCasino and identified\r\nan active and dangerous aggressive threat actor. By continuously tracking and in-depth study of the attacker’s\r\nactivities, NSFOCUS Research Labs has ruled out its link with known APT groups, confirmed its high-level\r\npersistent threat nature, and following the operational name, named this APT group DarkCasino.\r\nIn August 2023, security vendor Group-IB followed up and disclosed a DarkCasino activity against\r\ncryptocurrency forum users, and captured a WinRAR 0-day vulnerability CVE-2023-38831 used by the APT\r\nthreat actor DarkCasino in this attack.\r\nNSFOCUS Research Labs analyzed the APT group DarkCasino’s attack activities in WinRAR vulnerability\r\nexploitation and confirmed its techniques and tactics; At the same time, NSFOCUS Research Labs also found a\r\nlarge number of attacks by known APT organizations and unconfirmed attackers when tracking the exploitation of\r\nWinRAR vulnerabilities. Most of these attacks targeted national governments or multinational organizations.\r\nThis report will analyze the APT group DarkCasino and its detailed attacks launched recently, disclose the\r\nexploitation of WinRAR vulnerabilities by multiple known APT attackers and new threat actors, and predict the\r\ndevelopment trend of this threat.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 1 of 20\n\nAbout APT Group DarkCasino\r\nDarkCasino is an economically motivated APT group that was first discovered by NSFOCUS Research Labs in\r\n2021.\r\nFigure 2.1 Impression of DarkCasino created by DALL-E\r\nName DarkCasino\r\nAffiliation Unknown\r\nMotivation Economic benefits\r\nTarget industries\r\nCryptocurrency trading platforms, online casinos and network\r\nbanks worldwide\r\nTarget victims Staff and users of online trading platforms\r\nMain attack vectors Watering hole phishing, spear phishing\r\nRepresentative attack\r\ntools\r\nTrojan DarkMe, Vulnerability CVE-2023-38831\r\nTable 2.1 DarkCasino Information\r\nThe name of DarkCasino comes from a large-scale APT attack of the same name captured by NSFOCUS Research\r\nLabs in 2022. the APT group DarkCasino mainly targets various online trading platforms in Europe, Asia, the\r\nMiddle East and other regions, covering industries such as cryptocurrencies, online casinos, network banks and\r\nonline credit platforms. DarkCasino is good at obtaining assets deposited by victims in online accounts by stealing\r\npasswords from target hosts.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 2 of 20\n\nAttacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online\r\nproperty. In the early days, DarkCasino mainly operated in countries around the Mediterranean and other Asian\r\ncountries using online financial services; more recently, with the change of phishing methods, its attacks have\r\nreached users of cryptocurrencies worldwide, even including non-English-speaking Asian countries such as South\r\nKorea and Vietnam.\r\nDarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various\r\npopular APT attack technologies into its attack process. In the early days, the APT group DarkCasino mainly drew\r\non the attack idea of an APT attacker named Evilnum and used malicious shortcuts, image steganography and\r\nother technologies to realize phishing attacks. The overall process design was also similar to that of Evilnum, so\r\nNSFOCUS Research Labs once attributed this organization to Evilnum; after H2 2022, DarkCasino gradually\r\nabandoned the attack idea borrowed from Evilnum and developed a set of multi-level loading patterns based on\r\nseveral Visual Basic components, thus implementing many larger-scale network attacks.\r\nIn 2021, the APT group DarkCasino developed a Visual Basic-based Trojan Horse program called DarkMe and\r\nconstantly refined the details of the attack process around it to improve its functions, countermeasures and\r\ndelivery methods, thus enhancing the stability and efficiency of attacks. For a detailed analysis of this attack tool,\r\nplease also refer to the published analysis report of NSFOCUS Research Labs.\r\nAt present, there is not enough evidence to prove the origin of DarkCasino.\r\nAbout CVE-2023-38831\r\nCVE-2023-38831 is an arbitrary execution vulnerability in WinRAR software that was first exploited by\r\nDarkCasino in April 2023 and fixed in a new version of WinRAR v6.23 in August 2023.\r\nThe implementation of CVE-2023-38831 is based on the file running mechanism of WinRAR software. By\r\nconstructing a decoy file, a folder with the same name as the decoy file, and a malicious file with the same name\r\nwith a space at the end of the folder, it spoofs the API function ShellExecuteExW called by WinRAR, so that it\r\ncan mistakenly release the malicious file and execute when the decoy file should have been opened.\r\nNSFOCUS Research Labs found that CVE-2023-38831 can be integrated into common email or watering hole\r\nphishing attacks, replacing malicious package attachments commonly found in phishing emails to make it more\r\ndeceptive. It is difficult for untrained WinRAR users to identify and defend against such exploit attacks; Some\r\nCVE-2023-38831 vulnerability exploitation variants also have a certain anti-virus capability, which can bypass the\r\nendpoint protection software in the target device to achieve attack effects.\r\nDue to the large installed capacity, blocked update channels and difficult maintenance of WinRAR software, CVE-2023-38831 has a great impact and attack power. It is expected that this vulnerability will become an important\r\nweapon for attackers to break through target defense for a period of time.\r\nRecent Activities of DarkCasino\r\nOverview\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 3 of 20\n\nNSFOCUS Research Labs observed that DarkCasino has been active for more than a year since they first\r\nlaunched large-scale cyberattacks using the Trojan DarkMe in 2022. Attacks against online trading platforms\r\nlaunched by DarkCasino can be spotted in each quarter.\r\nIn April 2023, DarkCasino developed a new attack pattern and launched a new round of attacks against online\r\ntrading forums.\r\nDarkCasino exploited a WinRAR zero-day vulnerability (later identified by security researchers and assigned\r\nnumber CVE-2023-38831) in this new attack pattern, placing malicious programs into specially crafted\r\nvulnerability zip files for phishing attacks against forum users through online trading forum posts.\r\nIn general, DarkCasino constructed various post contents such as money-making tips and investment suggestions,\r\nand lured forum users into opening malicious files attached or pointed to the posts.\r\nDarkCasino put a large number of vulnerability files in various trading forums. As of October, some posts with\r\nmalicious links or files remained uncleaned, as shown below.\r\nFigure 4.1 Phishing Posts from DarkCasino\r\nAttack Process Analysis\r\nNSFOCUS Research Labs found that DarkCasino implemented two attack processes by compressing files through\r\nthese vulnerabilities. The main logic of these two attack processes is relatively similar, and the main difference\r\nlies in the storage form of the Trojan data.\r\nThis report takes the attack flow using encrypted .txt files as an example to introduce the process design ideas and\r\nchanges of DarkCasino in this round of operations.\r\nThe main composition of this attack process is shown in the following figure, which consists of the CVE-2023-\r\n38831 vulnerability exploitation file, Cabinet archive file, registry file and ActiveX control file. It is divided into\r\nthree stages: vulnerability exploitation, load release and Trojan execution.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 4 of 20\n\nFigure 4.2 Main Attack Process of DarkCasino\r\nIn another attack flow, DarkCasino replaces the medium storing encrypted Trojan data with a steganographic\r\nimage.\r\nVulnerability Exploitation Stage\r\nWhen the victim opens a file named “Trading_strategy_2023.rar”, the following file structure will be displayed in\r\nWinRAR:\r\nFigure 4.3 DarkCasino Vulnerability File Structure A\r\nThis is a typical build pattern for CVE-2023-38831 vulnerabilities. When the user tries to double-click to open the\r\npdf file in the zip package, it actually executes a batch file named “Trading_Strategies_2023.pdf .cmd” under the\r\nsame name folder.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 5 of 20\n\nFigure 4.4 DarkCasino Vulnerability File Structure B\r\nThis batch will open the original decoy pdf file as well as a malicious file named Images.com.\r\nThe contents of the original decoy pdf file in this example process are shown below.\r\nFigure 4.5 Decoys used by DarkCasino\r\nLoad Release Stage\r\nThe Images.com file, which was exploited to execute batch files within the file, is a loader-type Trojan designed\r\nby DarkCasino. The program is actually a cabinet archive file disguised as a .com file, including sw.exe, na.ocx,\r\nnb.ocx, ph.txt and add.txt five components.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 6 of 20\n\nAfter the loader Trojan releases the above five components to the TEMP directory, it will run the sw.exe program\r\nto start the subsequent loading execution process.\r\nSw.exe itself does not contain malicious functions and is mainly used to load na.ocx and nb.ocx library files.\r\nna.ocx will read and decrypt the ph.txt file, save the decrypted content in %APPDATA%\\RarDir\\ClassFile.ocx,\r\nand also transfer add.txt to this directory.\r\nFigure 4.6 Malicious files generated by DarkCasino in APPDATA\r\nThe nb.ocx file mainly runs the following cmd commands:\r\ncmd /c cd APPDATA\\RarDir\u0026\u0026cmd /c timeout 1\u0026\u0026cmd /c reg.exe import add.txt\r\ncmd /c cd APPDATA\\RarDir\u0026\u0026cmd /c timeout 1\u0026\u0026cmd /c rundll32.exe /sta {EA6FC2FF-7AE6-4534-9495-\r\nF688FEC7858C} Mouse_Keyboard\r\nThese cmd commands register a com component by writing to the host registry and then running it.\r\nThe registered com component is the above decrypted and saved ClassFile.ocx file.\r\nTrojan Execution Stage\r\nThe com component ClassFile.ocx running in the above process is the final payload Trojan of this attack flow.\r\nThe Trojan horse used by DarkCasino in this round of operations is DarkMe, which is commonly used by the\r\ngroup.\r\nThe Trojan DarkMe appeared in this round of attacks is basically the same as that previously used by DarkCasino\r\nin terms of functions. The main difference is that DarkCasino has added more obfuscation codes to the new\r\nTrojan, expanding the whole program file to over 20MB. This strategy can effectively reduce the risk of being\r\ndetected.\r\nDarkMe is a Visual Basic spy Trojan. Its initial version appeared on September 25, 2021. Currently, it supports\r\nhost information collection, screenshot, file manipulation, registry manipulation, cmd command execution, self-update, persistence and other functions.\r\nFor a detailed analysis of the Trojan DarkMe, refer to NSFOCUS Research Labs’ published report on Operation\r\nDarkCasino.\r\nCVE-2023-38831 Exploitation in the Wild\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 7 of 20\n\nWhen NSFOCUS Research Labs analyzed the impact surface of vulnerability CVE-2023-38831, it found that\r\nsince this vulnerability was revealed in August 2023, multiple APT organizations and unconfirmed attackers have\r\nused this vulnerability for phishing attacks, most of which target important government agencies in various\r\ncountries.\r\nNSFOCUS Research Labs also captured a large number of exploitation files produced and disseminated by\r\nphishing email hackers worldwide, indicating that the vulnerability has been exploited on a large scale.\r\nAttacks by known APT groups\r\nIt has been observed that APT group DarkPink in Southeast Asia, APT group Konni in East Asia and APT group\r\nGhostWriter in Eastern Europe use CVE-2023-38831 vulnerabilities to carry out cyberattack activities.\r\nDarkPink-linked attacks on the governments of Vietnam and Malaysia\r\nThe APT group DarkPink has used the vulnerability CVE-2023-38831 to attack government targets in Vietnam\r\nand Malaysia.\r\nDarkPink attackers used this vulnerability in this round of attacks to upgrade their existing attack processes and\r\nmake multiple improvements to attack techniques and tactics, significantly improving the success rate of attacks.\r\nFigure 5.1 Main Attack Process of DarkPink\r\nKnown targets of the DarkPink attack include Vietnam’s Ministry of Foreign Affairs, Ministry of Finance,\r\nVietnam’s State Securities Regulatory Commission and Malaysia’s government sectors like Ministry of Defense\r\nand Strategic Planning.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 8 of 20\n\nDarkPink still uses its main Trojan programs, TelePowerDropper and TelePowerBot, to steal information during\r\nthis round of attacks.\r\nA detailed analysis of the DarkPink campaign can be found in reports published by NSFOCUS Research Labs.\r\nKonni-linked attacks on cryptocurrency industry in South Korea\r\nKonni, an APT group from North Korea, also quickly used the vulnerability CVE-2023-38831 to launch attacks\r\non South Korea’s cryptocurrency industry after it was made public. Relevant attacks were first disclosed by\r\nKnownsec.\r\nInterestingly, the attack process built by Konni using this vulnerability is somewhat similar to that originally used\r\nby DarkCasino. It consists of components such as batch files, Trojan horse programs disguised as images, and\r\nbinaries storing encrypted information.\r\nThe decoy used by Konni in this attack is a web file named “Screenshot_2023_09_06_Qbao_Network.html”,\r\nwhich contains the cryptographic mnemonic of a cryptocurrency wallet application.\r\nFigure 5.2 Decoys used by Konni\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 9 of 20\n\nThe final payload delivered by Konni in this attack is its representative Trojan KonniRAT, which can take long-term control of the victim host and obtain important contents.\r\nGhostWriter-linked attacks on defense and educational institutions in Ukraine\r\nAlso at the end of August when the vulnerability was revealed, GhostWriter (UAC-0057, UNC1151), an APT\r\ngroup suspected of coming from Belarus, also began to exploit this vulnerability to launch attacks against\r\nUkraine.\r\nThe vulnerability exploitation file constructed by GhostWriter is named ” Збірник_тез_НУОУ_23″ (National\r\nDefense University of Ukraine Digest 23), and its structure is shown in the following figure, consisting of decoy\r\npdf file, cmd batch file and lnk shortcut file:\r\nFigure 5.3 Vulnerability File Structure A Built by GhostWriter\r\nFigure 5.4 Vulnerability File Structure B Built by GhostWriter\r\nAfter the vulnerability is triggered, the actually executed cmd batch file will run an lnk shortcut to release the\r\ndecoy .pdf file and GhostWriter’s iconic Trojan PicassoLoader.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 10 of 20\n\nFigure 5.5 Decoys Used by GhostWriter\r\nThe PicassoLoader is a variant Trojan written with JavaScript. Its main function is to download and decrypt a\r\npiece of data, obtain and load the Trojan CobaltStrike Beacon, and control the victim’s host.\r\nUnconfirmed Threat Actors\r\nNSFOCUS Research Labs also captured many field exploit files that could not be attributed to known APT\r\nattackers. Since most of these exploit files are aimed at targets such as government agencies and multinational\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 11 of 20\n\norganizations, NSFOCUS Research Labs has marked these attackers and assigned temporary names for tracking.\r\nActor230830: Attack targeting the European Parliament\r\nThe attacker marked as Actor230830 organized attacks on relevant personnel of the European Parliament\r\nimmediately after the vulnerability became public.\r\nThe attack flow built by Actor230830 is relatively simple. After the vulnerability is triggered, a cmd batch file will\r\nbe executed, which will access the following two addresses through an edge browser:\r\nhttp://89.96.196[.]150:8080/\r\nhttps://www.europarl.europa[.]eu/pdfs/news/expert/agenda_week_by_day/35-2023/35-2023_en.pdf\r\nThe link to the .pdf file is used to display a decoy that is used to confuse victims, while the link to the IP address is\r\nused to help attackers carry out attacks\r\nFigure 5.6 Decoys used by Actor230830\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 12 of 20\n\nThe researchers were unable to confirm the attacker’s actual attack pattern because service on port 8080 of the\r\nabove-mentioned remote server had been withdrawn when this attack was discovered.\r\nIn the existing sandbox records, access to this IP port triggered the NTLM authentication mechanism of Windows.\r\nTherefore, it can be speculated that the attacker may use the vulnerability of NTLM protocol to try to steal the\r\npassword of the victim’s host domain.\r\nKnown victims of this attack are located in Portugal and the United Kingdom.\r\nActor231003: Attack targeting Serbia\r\nAnother unknown attacker, Actor231003, exploited the vulnerability CVE-2023-38831 in early October to launch\r\na cyberattack targeting Serbia.\r\nThe decoy built by the attacker in this activity is called “NATONSPAFinalInviteList.zip”, and its construction uses\r\nthe common pattern of .pdf decoys matching cmd batch files, as shown below.\r\nFigure 5.7 Vulnerability File Structure Built by Actor231003\r\nThe contents of NATO Public Diplomacy Programmes are documented in the decoy file called\r\n“NATONSPAFinalInviteList.pdf” as shown below.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 13 of 20\n\nFigure 5.8 Decoys used by Actor231003\r\nThe vulnerability file was uploaded to Serbia, so it can be inferred that the attackers were targeting pro-NATO\r\nforces in non-NATO countries.\r\nAfter the vulnerability is triggered, subsequent Trojan programs will be downloaded from the specified location\r\nhttps://allnato[.]net/news/uploads/chrmap.exe to realize attacks.\r\nThe Trojan released by Actor231003 in this event is the well-known remote-controlled Trojan Remcos. It can\r\nachieve full control of the victim’s host.\r\nActor231004: Attack targeting government departments of New Zealand\r\nNSFOCUS Research Labs also uncovered another suspected cyber-attack against governmental sectors of New\r\nZealand. The attacker we labeled as Actor231004 used a report from the Ministry of Foreign Affairs and Trade of\r\nNew Zealand as bait and exploited vulnerabilities in CVE-2023-38831 to release a well-known commercial\r\nspyware Bumblebee.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 14 of 20\n\nFigure 5.9 Decoys used by Actor231004\r\nBumblebee is a loader-type Trojan. With that, an attacker can deliver subsequent attack components to steal\r\nsecrets or take over the operations of remote hosts.\r\nThere are many known attacker organizations related to the Trojan Bumblebee, including GOLD CABIN, TA578\r\nand TA579.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 15 of 20\n\nActor231010: Attack targeting Russia and Belarus\r\nAnother attacker Actor231010 (aka SkeletonWolf) by NSFOCUS Research Labs used this vulnerability to launch\r\nphishing attacks against Russia and Belarus.\r\nThe vulnerability file constructed by this attacker also consists of a decoy .pdf file and a batch file used for the\r\nattack. The decoy name is Pismo_ishodjashhee_61301-\r\n1_8724_ot_27_09_2023_Rassylka_Ministerstva_promyshlennosti.pdf (Ministry of Industry mail 61301-1 8724\r\ndated September 27, 2023). The document is a letter from the Federal Ministry of Industry and Trade of Russia, so\r\nit can be presumed that Actor231010’s target in this attack is the people who had dealings with the Ministry of\r\nIndustry of the Government of Russia.\r\nFigure 5.10 Decoy A used by Actor231010\r\nAnother decoy document, disguised as a Belarus State Military Committee document, requires that property\r\nreceived by military units from the Ministry of Defense be reported in accordance with the form attached to the\r\ndocument. The decoy was suspected of targeting military units in Belarus.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 16 of 20\n\nFigure 5.11 Decoy B used by Actor231010\r\nThe batch file portion of these vulnerability files contains an obfuscated powershell directive to download a\r\nmalicious file from a specified remote location, which is an open source remote control Trojan called\r\nAthenaAgent that uses the discord channel as the CnC server.\r\nIt is worth noting that the detection rate of exploit files built by Actor231010 was very low, and only 6 samples\r\nwere detected in VirusTotal.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 17 of 20\n\nFigure 5.12 Detection of Actor231010 Vulnerability File\r\nActor231009: Attack targeting China\r\nIn addition, NSFOCUS Research Labs monitored a suspected correlated cyber-attack against China. An attacker\r\nlabeled Actor231009 crafts a WinRAR exploit file that also contains the combination of .pdf and .cmd batch files.\r\nThe decoy file named “Doc57585894.pdf” opened and displayed a report related to the “Electronic Submission\r\nSystem of the Family Planning Commission”, indicating that the target of the attack may be the government or\r\nenterprises in China.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 18 of 20\n\nFigure 5.13 Decoys used by Actor231009\r\nAfter a malicious batch file is triggered, the subsequent load Trojan will be downloaded from the designated\r\nremote location https://dnalnoomnus.ru/bx0/356x.exe. NSFOCUS Research Labs captured multiple different loads\r\nat this download address and found that the attacker mainly dropped the commercial Trojan Smokeloader.\r\nAttackers can use subsequent components of the Smokeloader program for operations like stealing files and\r\nrecords of information.\r\nThe operation of Actor231009 in this campaign indicates that the attacker may be in the exploring stage.\r\nNSFOCUS Research Labs will closely monitor potential follow-up activities of this attacker.\r\nConclusion\r\nThe WinRAR vulnerability CVE-2023-38831 brought by the APT group DarkCasino brings uncertainties to the\r\nAPT attack situation in the second half of 2023. Many APT groups have taken advantage of the window period of\r\nthis vulnerability to attack critical targets such as governments, hoping to bypass the protection system of the\r\ntargets and achieve their purposes.\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 19 of 20\n\nNSFOCUS Research Labs has also captured batch-generated vulnerability exploitation files decoyed by\r\ntransaction bills. This phenomenon indicates that large phishing attack controllers have also incorporated this\r\nvulnerability into their phishing attack processes, which heralds more victims of WinRAR vulnerability\r\nexploitation in the future.\r\nIoC\r\nHash APT Group\r\ndd9146bf793ac34de3825bdabcd9f0f3 DarkPink\r\n5504799eb0e7c186afcb07f7f50775b2 DarkPink\r\nc5331b30587dcaf94bfde94040d4fc89 DarkPink\r\nac28e93dbf337e8d1cc14a3e7352f061 DarkPink\r\nfefe7fb2072d755b0bfdf74aa7c9013e DarkPink\r\n428a12518cea41ef7c57398c69458c52 Konni\r\n7bb106966f6f8733bb4cc5bf2ab2bab4 GhostWriter\r\n2b02523231105ff17ea07b0a7768f3fd Actor230830\r\n63085b0b7cc5bb00859aba105cbb40b1 Actor231003\r\n7195be63a58eaad9fc87760c40e8d59d Actor231004\r\n129ccb333ff92269a8f3f0e95a0338ba Actor231010\r\ncd1f48df9712b984c6eee3056866209a Actor231010\r\nb05960a5e1c1a239b785f0a42178e1df Actor231010\r\n6b5d5e73926696a6671c73437cedd23c Actor231009\r\nSource: https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nhttps://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/" ], "report_names": [ "the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0", "created_at": "2023-11-14T02:00:07.095723Z", "updated_at": "2026-04-10T02:00:03.450401Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [], "source_name": "MISPGALAXY:DarkCasino", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa", "created_at": "2023-01-06T13:46:39.373008Z", "updated_at": "2026-04-10T02:00:03.305899Z", "deleted_at": null, "main_name": "TA579", "aliases": [], "source_name": "MISPGALAXY:TA579", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "fbe45970-1e9e-4a82-bc06-46317a248479", "created_at": "2026-02-03T02:00:03.45132Z", "updated_at": "2026-04-10T02:00:03.947304Z", "deleted_at": null, "main_name": "DarkPink", "aliases": [ "Saaiwc" ], "source_name": "MISPGALAXY:DarkPink", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434811, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7318d1672ad4700aba7143e33fe106b6dc9d40f7.pdf", "text": "https://archive.orkl.eu/7318d1672ad4700aba7143e33fe106b6dc9d40f7.txt", "img": "https://archive.orkl.eu/7318d1672ad4700aba7143e33fe106b6dc9d40f7.jpg" } }