The advanced persistent threat group APT-C-08, also known as Manlinghua or BITTER, has launched a sophisticated campaign targeting government organizations across South Asia by exploiting a critical directory traversal vulnerability in WinRAR.
Security researchers have identified the group’s first operational use of CVE-2025-6218, a flaw affecting WinRAR versions 7.11 and earlier that allows attackers to breach file system boundaries and execute malicious code on compromised systems.
APT-C-08 maintains established relationships with South Asian governments and has historically focused on stealing sensitive information from government agencies, the military-industrial complex, overseas institutions, and universities.
The threat group has demonstrated proficiency in weaponizing malicious documents as attack entry points, meticulously crafting socially engineered payloads designed to bypass security awareness.
This latest campaign represents a significant escalation, leveraging a vulnerability that remains difficult to patch due to WinRAR’s inconsistent update mechanisms across enterprise environments.
Security analysts and researchers identified the malware campaign by discovering weaponized RAR archives containing deceptively named files, such as “Provision of Information for Sectoral for AJK[.]rar.”
The malicious archive exploits CVE-2025-6218 by leveraging specially crafted file paths that contain spaces after directory traversal sequences, a technique that circumvents WinRAR’s path normalization.
When victims extract the archive, the exploit deposits a malicious Normal[.]dotm macro file into the Windows template directory at C[:] Users[username] AppData Roaming Microsoft Templates, establishing persistence through Microsoft Word’s automatic template loading mechanism.
Infection Mechanism and Code Execution
The attack chain demonstrates a sophisticated understanding of Windows system architecture.
Upon extraction, the malicious Normal[.]dotm file (“MD5: 4bedd8e2b66cc7d64b293493ef5b8942”) runs when the victim opens any Word document, triggering VBA macros that execute the “net use” command to map remote directories to the local machine.
Subsequently, the macro launches winnsc[.]exe from the remote server, establishing command execution capabilities.
This two-stage infection approach ensures that opening the initial document triggers the infection without raising suspicion, allowing operators to maintain stealth while establishing persistent remote access.
The exploit’s low difficulty, combined with its high success rate, has prompted security communities to recommend immediate patching of all WinRAR installations and implementing application allowlisting to restrict macro execution in Microsoft Office templates.
Organizations handling sensitive government information should prioritize threat detection monitoring for suspicious network mapping activities and macro-based indicators of compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
