Abuse of WinRAR CVE-2025-8088 to Deploy Quasar RAT
Jan 18, 2026
Executive Summary
A malicious RAR archive reported on X, by the user @smica83 and named “Coinbase Vmed Lines (Data).zip”, was analyzed as part of this investigation. The archive abuses WinRAR vulnerabilities, specifically CVE-2025-8088, to deliver a multi-stage malware payload.
CVE-2025-6218 is a high-severity WinRAR directory traversal vulnerability that allows malicious archives to write files outside the intended extraction path, leading to user-level remote code execution upon extraction. CVE-2025-8088 is a related path traversal and NTFS Alternate Data Stream (ADS) abuse issue that enables stealthy placement of hidden payloads to support persistence and evasion. Both vulnerabilities have been actively exploited in the wild and are patched in newer WinRAR releases.
In this campaign, the malicious archive leverages these flaws to drop a batch script into the Windows Startup folder, ensuring execution on system reboot. A decoy file containing purported Coinbase user data is included to reduce suspicion and encourage interaction. Once executed, the malware follows a staged execution chain involving obfuscated batch scripts, PowerShell-based payload decryption, in-memory shellcode injection, and ultimately the deployment of Quasar RAT, an open-source remote access trojan commonly abused by threat actors.
The final payload provides attackers with full remote control over the infected system, including surveillance, credential theft, file manipulation, and command execution capabilities. The observed behavior indicates a focus on persistence, stealth, and long-term access rather than immediate destructive activity.
Infection Chain
Key Findings
A malicious RAR archive named “Coinbase Vmed Lines (Data).zip” was reported on X by the researcher @smica83, rather than directly distributed by them. The archive uses leaked Coinbase data as a lure.
The archive exploits two WinRAR vulnerabilities, CVE-2025-6218 and CVE-2025-8088, enabling directory traversal and NTFS Alternate Data Stream abuse to write files outside the intended extraction path and achieve remote code execution with user-level privileges.
Successful exploitation results in a multi-stage infection chain beginning with an obfuscated batch script dropped into the Windows Startup folder, ensuring persistence across system reboots.
A decoy text file containing purported Coinbase user information is included to reduce suspicion and encourage user interaction.
The batch script decodes and executes an embedded PowerShell payload that performs system discovery, mutex checks, and in-memory shellcode injection.
Shellcode generated using Donut is injected into legitimate Windows processes (
explorer.exe, with a fallback tosvchost.exe) to evade detection and maintain execution.The final payload is identified as Quasar RAT, an open-source C# remote access trojan that provides extensive remote control, surveillance, credential theft, and system manipulation capabilities.
Command-and-control traffic is encrypted and configured to connect to 91.92.243.10 on port 4783, enabling persistent attacker access.
The observed behavior indicates a focus on stealth, persistence, and long-term access rather than immediate destructive activity.
This case highlights the continued abuse of archive-based initial access vectors and the security risks posed by unpatched WinRAR installations vulnerable to actively exploited flaws.
Technical Analysis
Stage 1: Coinbase Vmed Lines (Data).Rar
Inspecting the RAR file in 7-Zip, we can observe exploitation of CVE-2025-8088. Inside the archive, there is a ZIP file which serves as the decoy file, along with a folder structure used for the infection process.
Further inspection in 7-Zip shows that the archive is configured to drop s.bat into the
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup directory. This ensures that the batch script is executed every time the system is rebooted, establishing persistence.
Decoy:
Inspecting the decoy ZIP file reveals a TXT file containing what appears to be Coinbase user data. The contents include fields resembling a number, email address, name, and age, likely used to make the lure appear legitimate.
Stage 2: s.bat
Inspecting the batch script shows that it is heavily obfuscated and not easily readable. At the bottom of the script, a large blob of data is present, which likely represents an encoded or encrypted payload used to load and execute the next stage.
After deobfuscating the script we can see that the script relaunches itself in a minimized window.
Next, it defines several configuration values such as:
Persistence Run key registry path
Path to the batch file to be executed
Related execution variables
The script then checks if the directory %APPDATA%\Microsoft\gpJIsu24IygY exists. If it does not, the directory is created and its attributes are set to hidden.
It copies itself into this directory using a randomly generated filename, removes the Zone.Identifier via PowerShell, and establishes persistence through the CurrentVersion\Run registry key where cmd.exe executes the batch file.
Next, the script locates a large Base64-encoded blob with random text prepended in the format
::RandomLetters::Base64Blob. The data is decoded and written to the temporary directory using a random filename with a .ps1 extension.
The PowerShell script is executed with execution policy bypass and a hidden window style. Once execution completes, the batch script deletes itself and exits.
Stage 3: ps_SVzeei5v.ps1
Inspecting the PowerShell script shows that it performs basic system discovery by collecting the current date, computer name, and username. A mutex is then used to ensure single execution; if the mutex already exists, the script exits, otherwise it creates the mutex.
The script enumerates running processes to obtain the process ID of explorer.exe and identifies the operating system version.
It then defines an XOR key with the value 95 and decodes an embedded byte array by iterating through it and XORing each byte with the key.
Using Windows APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThreadEx, the decoded shellcode is injected into explorer.exe, followed by a brief sleep.
The script includes a fallback mechanism where it checks whether the injected explorer.exe process is still running. If the process has exited, the shellcode is injected into svchost.exe using the same technique.
Stage 4: Donut Shellcode
Inspection of the shellcode using Detect It Easy shows that it was generated using Donut, an open-source shellcode generator commonly used to convert PE files or .NET assemblies into position-independent shellcode for in-memory execution.
The shellcode was converted back into a PE file using Donut-Decryptor from Volexity for further analysis.
Stage 4: Quesar Rat
The extracted PE is a .NET sample with observable obfuscation when analyzed in Detect It Easy.
A VirusTotal lookup indicates that the payload is Quasar RAT, an open-source C# remote access trojan.
To confirm this, the configuration was inspected and string_5, when AES-decrypted, resolves to “Quasar Client Startup”.
QuasarRAT is an open‑source remote administration tool written in C#. While legitimate in origin, it has been widely adopted for malicious campaigns due to its robust feature set and modular architecture. Threat actors frequently deploy it to maintain long‑term remote control over compromised systems.
Communication & Control
Uses encrypted communication to avoid simple traffic inspection
Provides stable command-and-control with heartbeat checks
Supports managing multiple infected systems at once
Surveillance & Monitoring
Real-time remote desktop viewing and control
Screenshot capture on demand or at timed intervals
Keylogging for recording typed input
Clipboard monitoring to capture copied text
Camera & Audio Capture
Webcam snapshot capture
Low-frame-rate stealth video capture (variant-dependent)
Microphone audio recording for room surveillance
File System Operations
Browsing of files and directories
Uploading and downloading files in compressed form
Silent deletion, modification, renaming, or execution of files
Credential & Data Extraction
Extracts saved browser passwords and cookies
Retrieves stored Wi-Fi credentials
Reads certain Windows credential store items
Collects session details useful for privilege escalation
System Profiling & Control
Gathers full hardware and OS profiling information
Identifies installed software and domain/AD details
Enumerates running processes and services
Allows starting or terminating processes
Can reboot, shut down, or lock the system
Command Execution & Registry Interaction
Built-in remote command shell for executing arbitrary commands
Can run scripts or internal tools silently
Supports reading, editing, or deleting registry entries
Next, the extracted C2 configuration shows that the malware connects to the IP address 91.92.243.10 on port 4783.
IOC
Coinbase Vmed Lines ( Data ).zip
68e81b51336c63dab48d50cf51fb098d16936969d0241874a427900cae21b8bc
s.bat
dcf420c6f330197301d38aa3eeb345bb81862edb740d2b580aca28b882423532
ps_SVzeei5v.ps1
5f932d3838ab88a0347c247b3251f9890f5e6b6c5a0d077fd65ab9cfb685f305
donut_shellcode.bin
0a0aa05a97d0eedbeb2a6fa2fe10054385c53b99712918cda45b9d2c0b4196fb
Client.exe
198f2767f04680098a037ac03c089e3d400dc63e7d276b36eebbebed4e85e067
C2 Server and Port
91.92.243.10[:]4783
Last updated