Critical WinRAR Zero-Day Exploited by Cybercrime Groups
A severe zero-day vulnerability in the popular file compression utility WinRAR has been actively exploited by two Russian cybercrime groups, impacting users who unknowingly open compromised files attached to phishing emails.
Security firm ESET identified the exploitation on July 18, noticing a suspicious file path in their telemetry. By July 24, the issue was linked to a previously unknown vulnerability in WinRAR, a software boasting approximately 500 million installations worldwide. WinRAR developers were alerted immediately, and a patch was distributed within six days.
The exploit leverages alternate data streams, a Windows functionality that manipulates file paths, to trigger an unknown path traversal flaw. This flaw allows attackers to plant malicious files in restricted areas, such as %TEMP% and %LOCALAPPDATA%, which can execute code.
The initial attacks have been attributed to RomCom, a financially motivated group from Russia. Known for its sophisticated attack strategies and possession of exploits, RomCom used this zero-day vulnerability, now tracked as CVE-2025-8088, demonstrating their significant resources and dedication to cyber operations.
Interestingly, RomCom wasn't the only actor capitalizing on CVE-2025-8088. Bi.ZONE, a Russian security firm, also reported exploitation by another group known as Paper Werewolf, which simultaneously targeted a different WinRAR vulnerability, CVE-2025-6218. Paper Werewolf was detected distributing exploits through emails masqueraded as official communications, with the goal of infiltrating systems with malware.
Despite independent discoveries by ESET and BI.ZONE, it remains unclear if these groups coordinated or acquired their knowledge from a similar source. BI.ZONE speculated that Paper Werewolf might have sourced the vulnerabilities from dark market forums.
Attacks observed by ESET revealed three execution chains. One utilized COM hijacking, by which a malicious DLL file embedded in an archive executes via specific applications, like Microsoft Edge. This stealthy method allows attackers to install the Mythic Agent framework.
Another chain involved executing a Windows executable for planting SnipBot malware, known for its evasive maneuvers against forensic detection. The third chain incorporated RomCom malware pieces, namely RustyClaw and Melting Claw.
Historically, WinRAR's vulnerabilities have been a catalyst for malware dissemination, illustrated by past incidents in 2019 and again in 2023. The software's lack of an automatic update mechanism makes it a lucrative target, as users must manually download and apply patches.
To safeguard against these threats, users should update to WinRAR version 7.13, which addresses all known security flaws. However, due to the persistent discovery of zero-day vulnerabilities, vigilance remains essential.
