A critical zero-day vulnerability in the widely used WinRAR file compressor is currently being exploited by two Russian cybercrime groups. This serious security flaw allows attackers to backdoor computers that open malicious archives attached to phishing emails, some of which are tailored to specific individuals. Security firm ESET reported on Monday that it first identified these attacks on July 18, when its telemetry detected a suspicious file in an unusual directory path.
By July 24, ESET had linked the unusual behavior to the exploitation of an unknown vulnerability in WinRAR, which boasts an impressive installed base of around 500 million users. ESET promptly notified the developers of WinRAR on the same day, leading to a fix being released just six days later. This vulnerability has been designated as CVE-2025-8088 and is considered to have significant potential for harm.
The vulnerability takes advantage of alternate data streams, a feature in Windows that permits various representations of the same file path. Attackers exploited this feature to trigger a previously unknown path traversal flaw, enabling WinRAR to deploy malicious executables into attacker-chosen file paths such as %TEMP% and %LOCALAPPDATA%. These paths are typically off-limits due to their capability to execute code, making this exploit particularly dangerous.
ESET identified the attacks as originating from a group known as RomCom, a financially motivated cybercrime organization based in Russia. This well-resourced group has been active for several years, demonstrating its ability to procure exploits and execute sophisticated cyber operations. Notably, this incident marks at least the third time RomCom has leveraged a zero-day vulnerability in real-world attacks.
Interestingly, RomCom is not the sole group taking advantage of CVE-2025-8088. According to Russian cybersecurity firm Bi.ZONE, another group called Paper Werewolf, also known as GOFFEE, has been exploiting this same vulnerability. Additionally, Paper Werewolf has been using CVE-2025-6218, a different high-severity vulnerability in WinRAR that was patched five weeks prior to the discovery of CVE-2025-8088. Bi.ZONE reported that Paper Werewolf delivered these exploits through email archives impersonating employees from the All-Russian Research Institute, aiming to install malware for unauthorized access to infected systems.
Although the findings from ESET and Bi.ZONE were made independently, it remains unclear whether the cybercriminal groups are connected or if they sourced their knowledge from a common platform. Bi.ZONE speculated that Paper Werewolf may have acquired the vulnerabilities from a dark web crime forum.
ESET revealed that the attacks they observed followed three distinct execution chains. One chain targeted a specific organization, utilizing a malicious DLL file concealed in an archive through a technique known as COM hijacking. This method allowed the DLL file to be executed by applications such as Microsoft Edge. The compromised DLL would decrypt embedded shellcode, retrieve the current machine's domain name, and compare it to a hardcoded value. If there was a match, the shellcode would install a tailored version of the Mythic Agent exploitation framework.
The second execution chain involved running a malicious Windows executable that delivered a final payload, installing SnipBot, a known piece of RomCom malware. This malware is designed to evade forensic analysis by terminating its process when opened in a virtual machine or sandbox environment, a tactic often employed by cybersecurity researchers.
The third execution chain utilized two additional known malware variants from RomCom, identified as RustyClaw and Melting Claw. These sophisticated delivery methods highlight the ongoing threats posed by vulnerabilities in WinRAR.
Historically, WinRAR vulnerabilities have been exploited to distribute malware. A notable code-execution vulnerability from 2019 saw extensive exploitation shortly after it was patched. Similarly, in 2023, a zero-day vulnerability in WinRAR was exploited for over four months before being detected. The absence of an automated mechanism for installing updates makes WinRAR an ideal vehicle for malware distribution, as users must manually download and install patches.
ESET has advised users to avoid all versions of WinRAR prior to 7.13, which, as of the publication of this article, is the latest version and includes fixes for all known vulnerabilities. Additionally, it is important to note that Windows versions of the command line utilities UnRAR.dll and the portable UnRAR source code are also vulnerable. Given the ongoing emergence of WinRAR zero-days, users should remain vigilant and ensure they are using the most current software versions.
