Threats

WinRAR Vulnerability Exploited to Deploy Fileless Quasar RAT Without User Consent

Zero Day Wire

4 min read
WinRAR Vulnerability Exploited to Deploy Fileless Quasar RAT Without User Consent

A malware campaign is actively exploiting a WinRAR path validation vulnerability to deliver a fileless remote access trojan without requiring macros, exploit kits, or elevated privileges, according to research published by CYFIRMA. The attack chain abuses archive extraction behavior to silently establish persistence before any visible malware execution occurs.

The vulnerability, tracked as CVE-2025-8088, allows specially crafted RAR archives to write malicious files outside the intended extraction directory. Attackers are using this flaw to place malicious scripts directly into Windows auto-execution locations, enabling automatic code execution at user logon without administrative privileges or explicit user consent.

Weaponized OSINT Tools Archive

The campaign begins with a RAR archive named "Free 2026 Osint Tools.rar" that appears completely benign when viewed in WinRAR. The archive displays only a single text file containing a curated list of legitimate open-source intelligence tools and resources, deliberately crafted to reduce suspicion and encourage extraction.

However, the archive contains embedded directory traversal sequences within its internal file metadata. During extraction, these malformed paths exploit improper path validation in WinRAR to escape the user-selected destination directory. Despite WinRAR generating warnings about invalid filename syntax, the extraction logic still processes the crafted paths.

The result is a malicious Windows Batch script silently written to the Windows Startup directory at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Any file placed in this location executes automatically at user logon, meaning persistence is established during archive extraction itself, before any explicit malware execution takes place.

Multi-Layer Persistence Mechanisms

Once executed at logon, the Batch script performs multiple malicious actions while employing heavy obfuscation using extensive variable indirection, randomized naming, and loop-based execution flow to complicate static analysis.

The script creates a hidden directory at %APPDATA%\Microsoft\D1HvyuJFBR7g and copies itself into this location with the Hidden attribute set. For redundant persistence, a registry Run key is created under the current user context to ensure execution at every subsequent logon.

To evade security controls, the script removes the Mark-of-the-Web Zone.Identifier alternate data stream using PowerShell, suppressing Windows SmartScreen warnings and security prompts that would otherwise alert the user to potentially dangerous files downloaded from the internet.

Fileless PowerShell Loader

The Batch script reads its own file contents and locates a marker-delimited Base64 payload embedded within. This payload is decoded to a temporary PowerShell script and executed with ExecutionPolicy Bypass, a hidden window, and NoProfile flags to enable fileless execution. After launching the PowerShell loader, the Batch script deletes itself to reduce forensic artifacts.

The PowerShell loader enforces single-instance execution using a named mutex and enumerates running processes to identify injection targets. The loader defines direct imports of critical Windows APIs from kernel32.dll including OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread for remote process manipulation.

An embedded byte array is decrypted using XOR operations with key 87, revealing Donut-generated shellcode. The loader injects this shellcode into explorer.exe as the primary target due to its stability, trust level, and persistence within user sessions. If explorer.exe is unavailable, svchost.exe serves as a fallback injection target.

Self-Healing Watchdog Mechanism

To maintain persistent execution, the loader implements a continuous watchdog mechanism that monitors whether the injected process remains active. Operating within a timed loop, the watchdog periodically verifies process health. If termination is detected, the loader immediately attempts to reinject the payload into a newly spawned explorer.exe instance, falling back to svchost.exe if necessary.

This self-healing capability significantly increases resilience, as simply terminating the infected process does not remove the threat. The mechanism complicates incident response and prolongs attacker access even when defenders identify and kill malicious processes.

Donut Shellcode Enables In-Memory Execution

Analysis of the decrypted payload confirms Donut-generated shellcode, a framework widely abused for executing .NET assemblies entirely in memory. The shellcode is position-independent and supports both x86 and AMD64 architectures, allowing reliable operation across Windows systems.

Rather than dropping an executable to disk, Donut initializes the .NET Common Language Runtime directly within the address space of the injected process. The embedded .NET assembly loads and executes in memory without creating corresponding files on disk, significantly reducing forensic artifacts and bypassing traditional signature-based detection.

Quasar RAT Final Payload

The final payload is identified as Quasar RAT, a well-known open-source remote administration tool frequently repurposed for malicious operations. Written in C#, Quasar RAT provides comprehensive remote access capabilities including remote desktop viewing and control, file upload and download, keylogging and clipboard monitoring, credential and system information harvesting, arbitrary command execution, and registry manipulation.

Dynamic analysis observed active outbound command-and-control communication from infected hosts to 91.92.243.10 on TCP port 4783. The use of a direct IP address and non-standard port aligns with known Quasar RAT deployments where hardcoded infrastructure maintains reliable C2 while minimizing DNS-based detection indicators.

Broader Threat Landscape Implications

CYFIRMA researchers noted the campaign reflects a broader shift toward trust-abuse-based initial access and low-noise fileless post-exploitation techniques. Rather than relying on exploit kits, macros, or privilege escalation, threat actors increasingly exploit weaknesses in widely trusted applications and routine user workflows.

Archive-based delivery has become particularly effective as it often bypasses email and web gateway controls while exploiting normal user behavior. Vulnerabilities like CVE-2025-8088 enable attackers to establish persistence at extraction time, before traditional security mechanisms can meaningfully intervene.

Organizations lacking proactive vulnerability management, behavioral monitoring, and memory-level detection capabilities remain particularly exposed as adversaries continue to favor stealth, resilience, and operational efficiency over exploit complexity.

Recommendations

Organizations should prioritize patching WinRAR and other widely deployed archive utilities. Security teams should implement content inspection and behavioral analysis for archive-based deliveries at email and web gateways, treating archive extraction behavior including anomalous path traversal attempts and writes to auto-execution directories as high-confidence indicators of compromise.

Endpoint detection controls should monitor unauthorized modifications to the Windows Startup directory and registry Run keys under HKCU. PowerShell activity using ExecutionPolicy Bypass, hidden windows, and Base64-decoded content should generate alerts. Security tools should flag behaviors indicative of process injection, particularly sequential invocation of OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread targeting trusted processes.

Given the use of Donut-generated shellcode, organizations should deploy memory-level detection capable of identifying anomalous CLR initialization within non-.NET parent processes and in-memory .NET assemblies loaded without corresponding disk files.

Indicators of Compromise

The following SHA256 hashes are associated with this campaign: 198f2767f04680098a037ac03c089e3d400dc63e7d276b36eebbebed4e85e067 for the RAT payload, bf12a13ed0fac0de3dba45f65f14e67b0b62a30cde88ae18785328c8b34b5995 for Donut shellcode, 4b82f29b17b977a42f08d4f47a505740a31be273ecd76f9655643ed5ce44bb86 for the RAR archive, and d722f6b162a8cc49867856f94961ed7827ba4975a20632f6cdc6eba1096e3263 for the Batch script. The command-and-control server is located at 91.92.243.10.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire