WinRAR Zero-Day Vulnerability Exploited by Cybercrime Groups
Recently, a critical zero-day vulnerability was uncovered in the widely-used file compression tool, WinRAR. Detected by ESET, this flaw has been actively exploited by two cybercrime groups, notably hailing from Russia. The attacks are primarily executed through malicious archives attached to phishing emails, enabling hackers to implant backdoors into unsuspecting users' systems.
ESET identified and reported the anomaly on July 18, with a subsequent discovery linking the behavior to an undisclosed vulnerability in WinRAR by July 24. The compromised utility boasts an enormous user base of around 500 million installations globally. Fortunately, a fix was swiftly rolled out six days after the vulnerability's detection.
The exploit takes advantage of Windows' alternate data streams, manipulating this feature to leverage a previously unknown path traversal flaw. As a result, WinRAR inadvertently plants malicious executables in protected directories such as %TEMP% and %LOCALAPPDATA%, ordinarily safeguarded owing to their potential to execute code. The cybercriminal group RomCom, known for its sophisticated approach, was found exploiting this flaw, classified as CVE-2025-8088.
RomCom’s activity demonstrates its capability to invest significant resources into its cyber operations, given its history of exploiting zero-day vulnerabilities. The principal purpose of these attacks is to gain system access by executing advanced tradecraft, including a method called COM hijacking.
Interestingly, RomCom wasn't acting alone. A separate group, known as Paper Werewolf or GOFFEE, was also exploiting the same flaw. Their method involved distributing malware-laden archives, masquerading as emails from reputable institutions. Despite being investigated by two different firms, a potential connection or shared knowledge source between the groups remains speculative.
This new vulnerability sets the stage for broader discussions about WinRAR as a vector for malware dissemination. Besides its vast install base, the tool lacks an automatic updating mechanism, requiring users to manually apply critical patches. This absence heightens the risk factor, prompting users to upgrade to version 7.13 at the earliest to ensure all known vulnerabilities are patched.
