Critical WinRAR Zero-Day Exploited by Cybercrime Groups

For weeks, a high-severity zero-day vulnerability in WinRAR, a popular file compression utility, has been actively exploited by Russian cybercrime groups. The attackers used this flaw to backdoor computers through malicious archives in phishing emails.

Initially detected by security firm ESET on July 18, the exploit was traced back to an unknown weakness in WinRAR by July 24. A patch was released six days later. The vulnerability exploited alternate data streams in Windows, allowing attackers to execute code in protected areas.

ESET attributed the attacks to RomCom, a resourceful Russian crime group known for sophisticated exploits. This zero-day is known as CVE-2025-8088, marking at least the third time RomCom leveraged a zero-day for targeted attacks.

However, RomCom wasn't alone. The group Paper Werewolf, also tracked as GOFFEE, exploited the same vulnerability, as well as CVE-2025-6218. Their objective was to deliver malware via emails posing as Russian institute employees.

The connection between RomCom and Paper Werewolf remains unconfirmed, though speculation suggests shared sources or markets. ESET identified different attack chains, including COM hijacking, to install malicious payloads like the Mythic Agent framework.

Historically, WinRAR vulnerabilities have been vehicles for malware. The vast user base and lack of automatic updates pose ongoing risks. Users are advised to update to version 7.13 to mitigate known threats.

ESET's findings highlight a persistent risk of WinRAR-based exploits, emphasizing the importance of keeping software up-to-date to protect against these attacks.