Critical WinRAR 0-day Exploited by Cybercrime Groups

A recently uncovered high-severity zero-day vulnerability in the popular WinRAR file compression utility has been under active exploitation by two Russian cybercriminal factions. These attackers deploy backdoor tactics on computers through malicious archives attached to phishing emails, some of which are highly personalized.

Security firm ESET reported on detecting these attacks as early as July 18, noting a suspicious file path in its telemetry. By July 24, ESET linked this behavior to an unpatched vulnerability within WinRAR, which is used widely with an installed base of about 500 million users. They promptly notified WinRAR's developers, who issued a fix six days later.

Complex Exploitation Techniques

The vulnerability leverages Windows' alternate data streams to exploit a path traversal flaw, enabling attackers to execute unauthorized code by placing malicious files in protected directories like %TEMP% and %LOCALAPPDATA%. These actions are traditionally restricted due to the potential for code execution.

ESET identified the cybercrime group RomCom as one perpetrating the attacks. This group is known for its sophistication and resourcefulness in cyber operations, often engaging in financially motivated crimes. Notably, the zero-day is indexed as CVE-2025-8088.

Interestingly, RomCom is not the sole group exploiting this flaw. BI.ZONE, a Russian security firm, confirmed another group's involvement, referred to as Paper Werewolf. This faction has also been utilizing the vulnerability along with CVE-2025-6218, another critical flaw patched five weeks earlier.

Paper Werewolf reportedly masquerades as employees of the All-Russian Research Institute to distribute exploits via email attachments, aiming to install malware and gain unauthorized system access.

Whether or how RomCom and Paper Werewolf share techniques or vulnerabilities remains uncertain, though BI.ZONE speculates that knowledge of the vulnerabilities might have originated from dark market platforms.

The detected attacks involve complex execution chains. One method utilizes a concealed DLL file through COM hijacking to execute in certain applications like Microsoft Edge. Another chain utilizes a malicious executable to deploy RomCom’s SnipBot malware, while a third chain employs known malware like RustyClaw and Melting Claw.

Historically, WinRAR vulnerabilities have been exploited for malware deployment. The absence of an automated update mechanism for WinRAR necessitates manual installation of patches by users, heightening its susceptibility as a malware vector.

ESET advises against using any WinRAR versions earlier than 7.13 to ensure protection against known vulnerabilities. This recommendation includes avoiding vulnerable command-line utilities like UnRAR.dll. Despite this, the continuous wave of zero-day vulnerabilities continues to present concerns for WinRAR users worldwide.