A high-severity zero-day in the widely used WinRAR file compressor is under active exploitation by two Russian cybercrime groups. The attacks backdoor computers that open malicious archives attached to phishing messages, some of which are personalized.
Security firm ESET said Monday that it first detected the attacks on July 18, when its telemetry spotted a file in an unusual directory path. By July 24, ESET determined that the behavior was linked to the exploitation of an unknown vulnerability in WinRAR, a utility for compressing files and has an installed base of about 500 million. ESET notified WinRAR developers the same day, and a fix was released six days later.
Serious effort and resources
The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen files paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.
ESET said it has determined that the attacks came from RomCom, its tracking designation for a financially motivated crime group operating out of Russia. The well-resourced group has been active for years in attacks that showcase its ability to procure exploits and execute fairly sophisticated tradecraft. The zero-day the group used is now being tracked as CVE-2025-8088.
“By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations,” ESET’s Anton Cherepanov, Peter Strýček, and Damien Schaeffer wrote. “This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks.”
Oddly, RomCom wasn’t the only group exploiting CVE-2025-8088. According to Russian security firm Bi.ZONE, the same vulnerability was being actively exploited by a group it tracks as Paper Werewolf. Also tracked as GOFFEE, the group was also exploiting CVE-2025-6218, a separate high-severity WinRAR vulnerability that received a fix five weeks before CVE-2025-8088 was patched.
BI.ZONE said the Paper Werewolf delivered the exploits in July and August through archives attached to emails impersonating employees of the All-Russian Research Institute. The ultimate goal was to install malware that gave Paper Werewolf access to infected systems.
While the discoveries by ESET and BI.ZONE were independent of each other, it’s unknown if the groups exploiting the vulnerabilities are connected or acquired the knowledge from the same source. BI.ZONE speculated that Paper Werewolf may have procured the vulnerabilities in a dark market crime forum.
ESET said the attacks it observed followed three execution chains. One chain, used in attacks targeting a specific organization, executed a malicious DLL file hidden in an archive using a method known as COM hijacking that caused it to be executed by certain apps such as Microsoft Edge. It looked like this:
The DLL file in the archive decrypted embedded shellcode, which went on to retrieve the domain name for the current machine and compare it with a hardcoded value. When the two matched, the shellcode installed a custom instance of the Mythic Agent exploitation framework.
A second chain ran a malicious Windows executable to deliver a final payload installing SnipBot, a known piece of RomCom malware. It blocked some attempts at being forensically analyzed by terminating when opened in an empty virtual machine or sandbox, a practice common among researchers. A third chain made use of two other known pieces of RomCom malware, one known as RustyClaw and the other Melting Claw.
WinRAR vulnerabilities have previously been exploited to install malware. One code-execution vulnerability from 2019 came under wide exploitation in 2019 shortly after being patched. In 2023, a WinRAR zero-day was exploited for more than four months before the attacks were detected.
Besides its massive user base, WinRAR makes a perfect vehicle for spreading malware because the utility has no automated mechanism for installing new updates. That means users must actively download and install patches on their own. What's more, ESET said Windows versions of the command line utilities UnRAR.dll and the portable UnRAR source code are also vulnerable. People should steer clear of all WinRAR versions prior to 7.13, which, at the time this post went live, was the most current. It has fixes for all known vulnerabilities, although given the seemingly unending stream of WinRAR zero-days, it isn’t much of an assurance.
Finland charges crew of Baltic tanker with ties to Russia over undersea cable damage