Exploitation of WinRAR Zero-Day Vulnerability by Cybercrime Groups

In recent weeks, a high-severity zero-day vulnerability in WinRAR—a widely-utilized file compression tool—has been actively exploited by two Russian cybercrime groups. The primary mode of attack involves phishing messages with malicious archives that compromise systems once opened.

According to security firm ESET, the initial detection of these attacks occurred on July 18, following unusual telemetry data. By July 24, ESET identified the exploitation of an undisclosed WinRAR vulnerability, which affects approximately 500 million users. Promptly after this discovery, ESET alerted WinRAR developers, leading to a fix released just six days later.

The vulnerability employs Windows' alternate data streams to exploit a path traversal flaw, covertly installing malicious executables in directories typically protected from unauthorized access. ESET has attributed these attacks to RomCom, a financially motivated cybercrime group with known proficiency in acquiring and deploying sophisticated exploits. This particular zero-day vulnerability is now officially recorded as CVE-2025-8088.

Interestingly, RomCom isn’t the sole entity exploiting CVE-2025-8088. A report by Russian security firm Bi.ZONE highlights that a group identified as Paper Werewolf is also leveraging the same vulnerability in their attacks. This group is known for exploiting another WinRAR vulnerability, CVE-2025-6218, through deceptive email archives.

The ultimate goal of these attacks is to install malware, thereby gaining unauthorized access to victim systems. While ESET and BI.ZONE discovered these activities independently, it remains unclear whether the exploiting groups are connected or simply purchased the vulnerabilities from the same clandestine sources.

ESET's observation details three distinct execution chains utilized in these attacks. Notably, one method involves disguising a malicious DLL file within an archive to execute via COM hijacking, an attack vector involving the manipulation of certain applications like Microsoft Edge.

Besides its significant user reach, WinRAR's lack of an automatic update system renders it an attractive target for spreading malware. Users must manually download and apply updates to safeguard against such vulnerabilities. Current recommendations include upgrading to version 7.13, which addresses known security gaps. However, the persisting reports of zero-day vulnerabilities in WinRAR warrant continuous vigilance.