Back to Intelligence

How to Detect and Block WinRAR Exploits Used by Amarath-Dragon

SA
Security Arsenal Team
April 2, 2026
5 min read

Cybersecurity researchers at Check Point have uncovered a renewed campaign attributed to the Chinese threat actor known as 'Amarath-Dragon' (aka APT41). This group is actively exploiting a critical vulnerability in WinRAR, a ubiquitous file compression utility used by millions worldwide.

For security operations centers (SOCs) and IT defenders, this highlights a critical risk: even common, trusted desktop utilities can serve as entry points for sophisticated cyber-espionage operations. This post breaks down the technical mechanics of the attack and provides the necessary detection rules and remediation steps to secure your environment.

Technical Analysis

The core of this campaign relies on a vulnerability (often associated with CVE-2023-38831) in how older versions of WinRAR handle archive files. The flaw allows an attacker to craft a malicious archive that contains a benign file (like a PDF or image) and a hidden script.

When a user attempts to open the benign file, WinRAR inadvertently executes the hidden script instead. This technique, known as "file extension spoofing," effectively tricks the user into running malicious code without their knowledge.

  • Affected Products: WinRAR versions prior to 6.23.
  • Severity: High/Critical (allows for Remote Code Execution).
  • Attack Vector: Phishing emails containing malicious RAR or ZIP archives.
  • Patch Details: WinRAR released version 6.23 (and newer) to address this specific bypass. Updating to the latest version is the primary fix.

Defensive Monitoring

To detect active exploitation or post-compromise activity related to this WinRAR vulnerability, security teams should implement the following detection logic.

SIGMA Detection Rules

These rules are designed for SIEM systems using the SIGMA format. They focus on the parent-child process relationships that occur when the vulnerability is triggered.

YAML
---
title: Suspicious Child Process Spawned by WinRAR
id: 4a9c1234-5678-4b90-a1b2-c3d4e5f6a789
status: experimental
description: Detects when WinRAR spawns a command shell (cmd.exe) or PowerShell. This is highly suspicious behavior indicative of CVE-2023-38831 exploitation where an archive executes a script.
references:
  - https://www.infosecurity-magazine.com/news/hacking-exploits-windows-winrar/
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.initial_access
  - attack.t1204
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\WinRAR.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts using WinRAR self-extractor (rare)
level: high
---
title: WinRAR Archive Creation in Suspicious Directory
id: b8e7d6c5-4b3a-2c1d-0e9f-8a7b6c5d4e3f
status: experimental
description: Detects WinRAR creating files in temporary or user profile directories immediately followed by a process creation, typical of archive extraction exploits.
references:
  - https://www.infosecurity-magazine.com/news/hacking-exploits-windows-winrar/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.initial_access
  - attack.t1204
logsource:
  category: file_event
  product: windows
detection:
  selection:
    Image|endswith: '\WinRAR.exe'
    TargetFilename|contains:
      - '\AppData\Local\Temp'
      - '\AppData\Roaming'
  condition: selection
falsepositives:
  - Legitimate user unzipping files to temp folders
level: medium

KQL Queries for Microsoft Sentinel/Defender

Use these queries in Microsoft Sentinel or Defender for Endpoint to hunt for signs of the Amarath-Dragon campaign.

KQL — Microsoft Sentinel / Defender
// Detect WinRAR spawning cmd.exe or powershell.exe
DeviceProcessEvents
| where InitiatingProcessFileName =~ "WinRAR.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine
| order by Timestamp desc


// Hunt for recent RAR or ZIP file creations followed by suspicious process execution
DeviceFileEvents
| where FileName endswith_cs (".rar", "..zip")
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where FileName in~ ("cmd.exe", "powershell.exe")
) on DeviceId, $left.Timestamp <= $right.Timestamp and $right.Timestamp <= $left.Timestamp + 1m
| project Timestamp, DeviceName, FileName, ActingProcessFileName, ProcessCommandLine

Velociraptor VQL Hunt Queries

Velociraptor can be used to hunt for the presence of vulnerable WinRAR versions or suspicious process chains on endpoints.

VQL — Velociraptor
-- Hunt for WinRAR spawning cmd.exe
SELECT Pid, Ppid, Name, Exe, Username, CommandLine
FROM pslist()
WHERE ParentExe =~ "WinRAR.exe"
   AND Name =~ "cmd.exe"

-- Check WinRAR Version on the endpoint
SELECT OSPath, VersionInfo.FileVersion, VersionInfo.ProductVersion
FROM glob(globs="C:/Program Files/WinRAR/WinRAR.exe")

PowerShell Verification Script

Use this script to audit your endpoints for vulnerable versions of WinRAR.

PowerShell
# Check WinRAR Version
$winrarPath = "${env:ProgramFiles}\WinRAR\WinRAR.exe"
if (Test-Path $winrarPath) {
    $versionInfo = (Get-Item $winrarPath).VersionInfo
    $version = [version]$versionInfo.FileVersion
    Write-Host "Detected WinRAR Version: $version"
    
    # Versions older than 6.23 are vulnerable to CVE-2023-38831
    if ($version -lt [version]"6.23") {
        Write-Host "[ALERT] Vulnerable version of WinRAR detected. Please update immediately." -ForegroundColor Red
    } else {
        Write-Host "[OK] WinRAR version appears patched." -ForegroundColor Green
    }
} else {
    Write-Host "WinRAR not found in default path."
}

Remediation

To protect your organization against the Amarath-Dragon campaign and other threats exploiting this vulnerability, immediately implement the following steps:

  1. Patch WinRAR Immediately: Deploy WinRAR version 6.23 or newer to all endpoints via your software deployment tools (SCCM, Intune, or RMM).
  2. Application Whitelisting: Configure AppLocker or Windows Defender Application Control (WDAC) to prevent WinRAR from spawning child processes like cmd.exe or powershell.exe. This is an effective compensating control if patching is delayed.
  3. Email Filtering: Update secure email gateways to block or sandbox RAR and ZIP archives, particularly those originating from external sources.
  4. User Awareness: Remind users to be cautious when opening compressed files from unknown senders, even if the file inside appears to be a standard document (e.g., a PDF).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftwinrarvulnerability-managementchina-apt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
How to Detect and Block WinRAR Exploits Used by Amarath-Dragon | Security Arsenal | Security Arsenal