A high-severity zero-day vulnerability in the widely used WinRAR file compression utility, identified as CVE-2025-8088, has been actively exploited by two Russian cybercrime groups to backdoor computers.
The vulnerability, which was first detected by ESET on July 18, allowed malicious executables to be planted in attacker-chosen file paths, specifically %TEMP% and %LOCALAPPDATA%, due to a path traversal flaw that leveraged alternate data streams, a Windows feature. ESET determined the activity was linked to an unknown vulnerability in WinRAR by July 24 and promptly notified the developers, leading to a fix being released six days later. WinRAR boasts an installed base of approximately 500 million users.
ESET attributed these attacks to RomCom, a financially motivated cybercrime group operating out of Russia. Anton Cherepanov, Peter Strýček, and Damien Schaeffer of ESET noted, “By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations. This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks.”
However, RomCom was not the sole group exploiting CVE-2025-8088. Russian security firm BI.ZONE reported that the same vulnerability was also being actively exploited by a group it tracks as Paper Werewolf, also known as GOFFEE. This group was simultaneously exploiting CVE-2025-6218, another high-severity WinRAR vulnerability that had been patched five weeks before the fix for CVE-2025-8088 was released. BI.ZONE stated that Paper Werewolf delivered exploits in July and August through archives attached to emails impersonating employees of the All-Russian Research Institute, with the ultimate goal of installing malware to gain access to infected systems.
ESET observed three distinct execution chains in the attacks it monitored. One chain involved executing a malicious DLL file hidden in an archive via COM hijacking, causing the DLL to be executed by certain applications, such as Microsoft Edge. The DLL would decrypt embedded shellcode, which then retrieved the current machine’s domain name and compared it with a hardcoded value. If they matched, the shellcode installed a custom instance of the Mythic Agent exploitation framework.
A second execution chain involved running a malicious Windows executable to deliver SnipBot, a known piece of RomCom malware, as the final payload. This malware incorporated anti-analysis techniques, terminating when opened in an empty virtual machine or sandbox. The third execution chain utilized two other known RomCom malware variants: RustyClaw and Melting Claw.
WinRAR vulnerabilities have a history of being exploited for malware installation. A code-execution vulnerability from 2019 saw widespread exploitation shortly after being patched. More recently, in 2023, a WinRAR zero-day was exploited for over four months before the attacks were detected. WinRAR’s large user base, combined with its lack of an automated update mechanism, makes it an ideal vehicle for malware propagation. ESET highlighted that Windows versions of the command-line utility UnRAR.dll and the portable UnRAR source code are also vulnerable.
Users are advised to update to WinRAR version 7.13 or later, which includes fixes for all known vulnerabilities. However, given the recurrent nature of WinRAR zero-days, this provides limited assurance against future threats.
