WinRAR Zero-Day Exploited by Cybercriminal Groups

A critical zero-day vulnerability in the popular WinRAR file compression tool has been actively exploited by two cybercriminal groups based in Russia. These attacks involve backdooring computers that open malicious archives, which are often distributed via personalized phishing emails. The vulnerability was first identified by security company ESET through their telemetry, and a fix was quickly issued by WinRAR developers.

The vulnerability, leveraging a Windows feature known as alternate data streams, exploited a path traversal flaw, allowing attackers to plant malware in secure directories like %TEMP% and %LOCALAPPDATA%. This manipulation of WinRAR's functionalities was attributed to RomCom, a financially motivated group known for its sophisticated tactics and repeated use of zero-day vulnerabilities.

RomCom was not acting alone. Another group, identified as Paper Werewolf by security firm Bi.ZONE, also exploited the same vulnerability, alongside another critical one known as CVE-2025-6218. Their campaigns included archives disguised as official communications, aiming to install malicious software on targeted systems.

ESET's research revealed three distinct execution chains in these attacks. One method involved COM hijacking to execute a malicious DLL file, which then deployed the Mythic Agent exploitation framework. Another chain utilized a Windows executable to deploy SnipBot malware, while a third chain distributed other RomCom-associated malware, RustyClaw and Melting Claw.

WinRAR's history with vulnerabilities highlights the risks posed by its broad usage and the lack of an automated update mechanism for users. Past incidents have shown that WinRAR is often targeted for distributing malware. Users are urged to update to the latest version, 7.13, which includes essential security patches, though caution remains necessary due to the potential for undiscovered vulnerabilities.