Sign in Subscribe
Security

Critical WinRAR Zero-Day Exploited by Cybercrime Groups

Critical WinRAR Zero-Day Exploited by Cybercrime Groups

A severe zero-day vulnerability in the widely-used WinRAR file compression software has been actively exploited by two cybercrime groups, leading to compromised computer systems. The attacks utilized malicious archive files sent via phishing emails, some of which were specifically tailored for the target.
ESET, a notable security firm, detected this unusual behavior on July 18 through its telemetry and traced it to a newfound vulnerability in WinRAR.

An exploitation was confirmed by July 24, coinciding with an installed user base of approximately 500 million. ESET promptly alerted WinRAR developers, who issued a patch six days later.

The vulnerability allowed attackers to abuse Windows' alternate data streams feature, a functionality normally intended to represent files differently. This resulted in a path traversal flaw that enabled the implantation of malicious executables in secured directories such as %TEMP% and %LOCALAPPDATA%.

ESET identified the attacks were spearheaded by RomCom, a financially driven Russian cybercrime group. This sophisticated entity has been recognized for using zero-day vulnerabilities in targeted cyber operations in the past, now tracked as CVE-2025-8088.

Remarkably, RomCom was not alone in exploiting CVE-2025-8088. Security firm BI.ZONE reported that another group, Paper Werewolf, was also actively leveraging this vulnerability, as well as another, CVE-2025-6218. Paper Werewolf's operations included sending malicious archives in email impersonations, ultimately attempting to gain system access.

The attacks observed by ESET utilized three varying methodologies, one of which used a technique called COM hijacking to run a malicious DLL hidden within archives, to install a custom instance of the Mythic Agent framework. Another tactic involved deploying SnipBot, a known RomCom malware, with a unique evasive maneuver to avoid forensic analysis.

In previous incidents, WinRAR vulnerabilities have been a conduit for malware. The compression tool's lack of an automatic update system compounds the risk, as users must manually download and install security patches.

ESET advises updating to WinRAR version 7.13 to mitigate risks, as this version rectifies known security issues and existing zero-day vulnerabilities.

Read next