WinRAR Zero-Day Vulnerability Exploited by Cybercrime Groups
A critical zero-day vulnerability in the widely utilized WinRAR file compression software has been actively exploited by two cybercrime groups from Russia. These attacks infiltrate computers that open maliciously crafted archives attached to phishing emails, some of which are specifically tailored for individuals.
Discovery and Impact
ESET, a well-known security firm, first discovered these attacks on July 18 as unusual files appeared in uncommon directory paths. By July 24, it was confirmed that an unknown vulnerability in WinRAR, a software with around 500 million installations, was being exploited. ESET immediately informed WinRAR's developers, and a fix was issued within six days.
The Exploit in Detail
The exploit leverages Windows' alternate data streams, using this feature to manipulate file paths and insert malicious executables into space Windows guards jealously, such as the %TEMP% and %LOCALAPPDATA% folders.
Involvement of Notable Groups
RomCom, a crime group recognized for its sophisticated exploits, is among those using this vulnerability, dubbed CVE-2025-8088. This group has previously employed zero-day vulnerabilities to attack high-value targets, highlighting its capability to obtain rare exploits.
Another group, identified as Paper Werewolf by Russian security firm Bi.ZONE, is also exploiting this vulnerability alongside another WinRAR vulnerability, CVE-2025-6218, patched earlier.
Methodologies and Threats
While the exact connection between these groups remains unclear, both target systems by delivering malicious payloads through Phishing. The methods involve executing a malicious DLL file via COM hijacking, eventually installing a custom instance of the Mythic Agent exploitation framework or deploying malware like SnipBot.
Historical Context and Current Recommendations
WinRAR vulnerabilities have been a vehicle for spreading hard-to-detect malware before, such as in the 2019 campaign using a code-execution bug. Without an automatic update mechanism, users are encouraged to manually download updates to secure their systems. It's advised to upgrade to version 7.13, which repairs known vulnerabilities, although users should remain vigilant due to the recurring nature of these threats.
