The advanced persistent threat (APT) group APT-C-08, also known as Manlinghua or BITTER, is actively exploiting a critical directory traversal vulnerability in WinRAR to target government organizations across South Asia. This sophisticated campaign represents the group’s first documented use of CVE-2025-6218, a flaw that allows attackers to bypass file system restrictions and execute malicious code on compromised systems. The vulnerability affects WinRAR versions 7.11 and earlier.
APT-C-08 has a history of focusing on espionage against government agencies, military-industrial complexes, and academic institutions within South Asia. Their methods often involve weaponizing documents to trick recipients into executing malicious payloads. This latest campaign’s reliance on the WinRAR flaw is particularly concerning due to challenges in consistent patching across enterprise environments, making it a significant escalation in their operational tactics.
APT-C-08 Exploits WinRAR Vulnerability in Government Attacks
Researchers recently uncovered the malware campaign by identifying weaponized RAR archives. These archives contained deceptively named files, such as “Provision of Information for Sectoral for AJK[.]rar,” which were designed to mislead potential victims. The malicious archives exploit CVE-2025-6218 by utilizing specially crafted file paths that include spaces after directory traversal sequences. This technique cleverly circumvents WinRAR’s path normalization process, tricking the software into writing files to unintended locations.
Once a victim extracts the malicious archive, the exploit deposits a malicious file named “Normal.dotm.” This file is placed in the Windows template directory, specifically at C:Users[username]AppDataRoamingMicrosoftTemplates. This location is critical because Microsoft Word automatically loads template files from this directory, establishing persistence for the attackers without requiring direct user interaction beyond initially opening the extracted content.
Infection Mechanism and Code Execution
The attack chain demonstrates a deep understanding of Windows system architecture, enabling stealthy execution. Upon extraction, the malicious “Normal.dotm” file, identified by its MD5 hash 4bedd8e2b66cc7d64b293493ef5b8942, is triggered when the victim opens any Microsoft Word document. This action initiates Visual Basic for Applications (VBA) macros embedded within the template.
These macros then execute the “net use” command, a standard Windows utility for mapping network drives. However, in this malicious context, the command is used to map remote directories from an attacker-controlled server to the victim’s local machine. Following this network mapping, the macro proceeds to launch “winnsc.exe” from that remote server, which then establishes persistent command execution capabilities for the threat actors.
This multi-stage infection process is designed for maximum stealth. The initial document opening appears innocuous, while the underlying macros work to establish remote access and control. This sophisticated approach allows APT-C-08 operators to maintain a low profile as they infiltrate targeted government networks and exfiltrate sensitive information.
The exploit’s ease of execution and high success rate have led cybersecurity professionals to recommend immediate action. Organizations are strongly advised to patch all WinRAR installations to mitigate the CVE-2025-6218 vulnerability. Furthermore, implementing application allowlisting can restrict macro execution within Microsoft Office templates, providing an additional layer of defense.
For organizations that handle sensitive government data, enhanced threat detection monitoring is crucial. This includes looking for suspicious network mapping activities, such as unusual “net use” commands, and monitoring for macro-based indicators of compromise across their networks. Staying vigilant and proactive is key to defending against such persistent and evolving threats like those posed by APT-C-08.