Back to Intelligence

CVE-2023-38831: WinRAR Exploitation by Amaranth-Dragon — Detection and Hardening Guide

SA
Security Arsenal Team
April 10, 2026
5 min read

Security teams must prioritize patching WinRAR immediately following confirmed reports of active exploitation. Researchers at Check Point have linked a recent surge in cyber-espionage activities to the threat actor "Amaranth-Dragon," a Chinese-aligned group. This actor is actively weaponizing CVE-2023-38831, a critical vulnerability in the ubiquitous WinRAR archiver.

The attack vector is particularly insidious because it requires minimal user interaction—simply opening a crafted archive can lead to Remote Code Execution (RCE). Given WinRAR's prevalence in enterprise environments, this vulnerability represents a high-risk lateral movement and initial access vector. This post provides the technical breakdown and defensive countermeasures required to neutralize this threat.

Technical Analysis

  • CVE Identifier: CVE-2023-38831
  • Affected Product: WinRAR
  • Affected Versions: Versions prior to 6.23
  • CVSS Score: 7.8 (High)
  • Platform: Microsoft Windows

How the Vulnerability Works: The flaw resides in how WinRAR processes compressed archives. The exploit technique utilizes a path traversal deception within the archive header. By creating a crafted archive (ZIP or RAR) that contains a file and a folder with identical names (e.g., filename.png and filename.png\), an attacker can trick the shell extension.

When a user attempts to open what appears to be a benign file (e.g., an image) inside the archive, WinRAR executes a script hidden within the nested folder instead of the intended file. This bypasses security warnings because the operating system sees the request targeting a "safe" file extension, while WinRAR passes the command to the malicious executable located in the adjacent folder.

Exploitation Status:

  • In-the-Wild: Confirmed active exploitation by Amaranth-Dragon.
  • CISA KEV: Listed in the Known Exploited Vulnerabilities Catalog.
  • Availability: Proof-of-concept (PoC) code is publicly available, lowering the barrier for copycat attackers.

Detection & Response

Sigma Rules

The following Sigma rules detect the suspicious process execution chain typical of this exploit. WinRAR should rarely, if ever, spawn a shell or command prompt directly.

YAML
---
title: WinRAR Spawning Shell - Potential CVE-2023-38831 Exploit
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects WinRAR spawning cmd.exe, powershell.exe, or wscript.exe. This behavior is indicative of successful exploitation of CVE-2023-38831 or malicious archive usage.
references:
  - https://cve.circl.lu/cve/CVE-2023-38831
  - https://www.checkpoint.com/research/
author: Security Arsenal
date: 2023/10/05
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1204
  - cve.2023.38831
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\WinRAR.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Legitimate use of self-extracting archives that launch scripts (rare in corporate envs)
  - Administrator troubleshooting
level: high
---
title: Potential WinRAR CVE-2023-38831 File Pattern
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects creation of suspicious filenames associated with the path traversal trick used in CVE-2023-38831 exploitation in user directories.
references:
  - https://cve.circl.lu/cve/CVE-2023-38831
author: Security Arsenal
date: 2023/10/05
tags:
  - attack.initial_access
  - cve.2023.38831
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains: '\AppData\Local\Temp\'
    TargetFilename|regex: '.*\.[a-z]{3}\s+\.*' # Checks for whitespace or pattern anomalies in filenames
  condition: selection
falsepositives:
  - Low (legitimate apps rarely create temp files with double extensions/spaces in this specific manner)
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query identifies instances where WinRAR acts as a parent process to a command-line interpreter.

KQL — Microsoft Sentinel / Defender
// Hunt for WinRAR spawning suspicious child processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "WinRAR.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

Use this artifact to hunt for vulnerable versions of WinRAR and recent process executions that fit the kill chain.

VQL — Velociraptor
-- Hunt for vulnerable WinRAR installations and suspicious parent-child relationships
SELECT 
  OSPath,
  Mtime,
  VersionData.ProductVersion,
  VersionData.FileVersion,
  Size
FROM glob(globs="C:\Program Files\WinRAR\WinRAR.exe")
WHERE parse_version(VersionData.ProductVersion) < parse_version("6.23")

-- Check for WinRAR spawning cmd.exe
SELECT Pid, Ppid, Name, Exe, Cmdline, StartTime
FROM pslist()
WHERE Name =~ "cmd.exe" OR Name =~ "powershell.exe"
  AND Ppid in (
    SELECT Pid FROM pslist() WHERE Name =~ "WinRAR.exe"
  )

Remediation Script (PowerShell)

This script audits the local WinRAR installation and reports if the version is vulnerable to CVE-2023-38831.

PowerShell
# Audit WinRAR for CVE-2023-38831
$WinRARPaths = @(
    "${env:ProgramFiles}\WinRAR\WinRAR.exe",
    "${env:ProgramFiles(x86)}\WinRAR\WinRAR.exe"
)

$VulnerableThreshold = [version]"6.23.0.0"

foreach ($Path in $WinRARPaths) {
    if (Test-Path $Path) {
        $FileInfo = Get-Item $Path
        $FileVersion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($Path).FileVersion
        $VersionObj = [version]$FileVersion

        Write-Host "Found WinRAR at: $Path (Version: $FileVersion)" -ForegroundColor Cyan

        if ($VersionObj -lt $VulnerableThreshold) {
            Write-Host "[ALERT] Vulnerable version of WinRAR detected. CVE-2023-38831 applicable." -ForegroundColor Red
            Write-Host "Action Required: Update WinRAR to version 6.23 or later immediately." -ForegroundColor Red
        } else {
            Write-Host "[OK] Version is patched against CVE-2023-38831." -ForegroundColor Green
        }
    }
}

Remediation

To mitigate the threat of Amaranth-Dragon and other actors exploiting this flaw, apply the following remediation steps immediately:

  1. Patch Immediately: Update WinRAR to version 6.23 or later. The vendor (win.rar GmbH) has released patches that address the path traversal validation flaw.

  2. Verify Version: Use the PowerShell script above or check Help > About WinRAR in the GUI to confirm the version string is 6.23 or higher.

  3. Application Allowlisting: If immediate patching is not feasible, restrict the execution of WinRAR.exe via AppLocker or Windows Defender Application Control (WDAC) to specific trusted user groups who require archival utilities.

  4. CISA Directive: Per CISA KEV catalog (KEV-2023-B0008), Federal Civilian Executive Branch (FCEB) agencies must patch this vulnerability by November 16, 2023. Private sector organizations should treat this deadline as a benchmark for prioritization.

  5. User Awareness: Remind users not to open archives from untrusted sources. While this vulnerability bypasses some visual cues, the initial delivery mechanism remains primarily phishing or malicious downloads.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-daywinrarcve-2023-38831amaranth-dragonvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action