The notorious APT-C-08 hacking group, also known as BITTER, has been observed weaponizing a critical WinRAR directory traversal vulnerability (CVE-2025-6218) to launch sophisticated attacks against government organizations across South Asia.
This development marks a concerning evolution in the threat actor’s capabilities, as the group leverages this easily exploitable flaw to infiltrate sensitive systems and steal classified information.
APT-C-08 is an advanced persistent threat group with confirmed ties to South Asian government entities.
The organization has consistently targeted governments, overseas institutions, universities, and military-industrial complexes throughout South Asia and neighboring regions.
Their primary objective remains the theft of sensitive information, driven by strong political motivations. The group demonstrates sophisticated tradecraft, employing diverse attack vectors and specializing in social engineering tactics that manipulate victims into opening malicious documents and downloading harmful payloads.
WinRAR Vulnerability
Security researchers recently captured samples that reveal APT-C-08 exploiting CVE-2025-6218, a directory-traversal vulnerability affecting WinRAR versions 7.11 and earlier.
| Attribute | Details |
|---|---|
| MD5 Hash | f6f2fdc38cd61d8d9e8cd35244585967 |
| File Name | Provision of Information for Sectoral for AJK.rar |
| File Size | 51.4 KB (52,674 bytes) |
| Description | Exploiting vulnerabilities |
| Referenced CVE | CVE-2025-6218 |
This marks the first observed instance of the group weaponizing this particular flaw. The vulnerability’s low exploitation difficulty, combined with the widespread failure of users to update WinRAR installations, creates an ideal attack surface for threat actors.
Given the severity and accessibility of this exploit, security teams have prioritized public disclosure to enable rapid threat mitigation.
The attack begins with a weaponized RAR archive named “Provision of Information for Sectoral for AJK.rar” (MD5: f6f2fdc38cd61d8d9e8cd35244585967).
This 51.4 KB compressed file exploits the CVE-2025-6218 vulnerability to breach expected file system boundaries, enabling attackers to deploy malicious files into unauthorized directory locations.
The vulnerability stems from improper path normalization during file extraction. WinRAR’s extraction process checks characters before path separators, specifically looking for spaces or dots.
However, the developers overlooked scenarios where paths contain spaces after the dot-dot notation. Attackers exploited this oversight by constructing specially crafted paths like “.. ” which bypass security checks and enable directory traversal.
To maximize exploitation success, the threat actors embedded two malicious file paths within the archive: “/.. /.. /AppData/Roaming/Microsoft/Templates/Normal.dotm” and “/.. /.. /.. /AppData/Roaming/Microsoft/Templates/Normal.dotm”. The critical detail enabling successful exploitation is the strategically placed space after the “..” notation.
When victims extract the malicious archive using vulnerable WinRAR versions, the attack deploys a weaponized Normal. dotm file (MD5: 4bedd8e2b66cc7d64b293493ef5b8942) to the Microsoft Word templates directory at C:Users$$username]AppDataRoamingMicrosoftTemplates.
This 19.9 KB macro-enabled template automatically loads whenever victims open any Word document on their system, ensuring persistent malicious code execution without requiring additional user interaction.
Malicious Payload Functionality
The deployed Normal.dotm contains malicious macros designed to establish remote connectivity and download additional attack components.
The macro executes network commands to map remote directories to the local system, specifically targeting and executing “winnsc.exe” from attacker-controlled infrastructure.
The winnsc.exe downloader operates by collecting system reconnaissance data including hostname, username, and operating system version.
This information transmits to the command-and-control server at teamlogin.esanojinjasvc[.]com using HTTP POST requests. Based on server responses, the malware retrieves and executes subsequent payloads, including C# trojans commonly associated with APT-C-08 operations.
Security researchers identified a second attack variant using a compressed file named “Weekly AI Article.rar” (MD5: 84128d40db28e8ee16215877d4c4b64a).
This 596 KB archive employs identical exploitation techniques, deploying another malicious Normal.dotm (MD5: f8b237ca925daa3db8699faa05007f12) that downloads and executes commands from tapeqcqoptions[.]com.
Implications and Recommendations
APT-C-08’s adoption of CVE-2025-6218 demonstrates the group’s continued evolution and technical sophistication.
The combination of directory traversal exploitation with persistent template-based execution creates a highly effective attack chain capable of evading traditional security controls. Organizations, particularly government entities in South Asia, face elevated risk from these campaigns.
Security teams must prioritize updating WinRAR to versions that patch CVE-2025-6218. Users should exercise extreme caution when handling compressed files from unknown sources, particularly RAR archives delivered via email or file-sharing platforms.
Implementing robust email security filtering, endpoint detection and response solutions, and user security awareness training can significantly reduce successful exploitation attempts.
The persistent nature of this attack achieved through Microsoft Word template modification requires organizations to monitor the Templates directory for unauthorized modifications and implement application allowlisting to prevent unauthorized macro execution.
Regular security audits of critical directories and enhanced logging can detect compromise indicators before attackers achieve their espionage objectives.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.