Some versions of WinRAR file compression tool and Winbox software for managing MikroTik users have been tampered with to install malware serving an advanced threat actor. This campaign may have started in the second half of 2018 and continues today.
The operation has been attributed with high confidence to StrongPity, an APT-level adversary that specializes in watering hole attacks for cyber-espionage purposes.
StrongPity came to attention in 2016 when it launched websites to distribute trojanized versions of WinRAR and TrueCrypt, researchers at
Kaspersky found.
The group, also known as Promethium, has been active longer than that, though, since at least 2012, and used zero-day vulnerabilities in spearphishing attacks.