Digital Event Horizon
Two Russian cybercrime groups have been exploiting a high-severity zero-day vulnerability in WinRAR for weeks, allowing them to backdoor computers by opening malicious archives attached to phishing messages. The attacks were first detected by security firm ESET on July 18, and a fix was released six days later. Users are advised to avoid using versions of WinRAR prior to 7.13, which has fixes for all known vulnerabilities.
Two Russian cybercrime groups exploited a zero-day vulnerability in WinRAR, allowing them to backdoor computers via phishing messages.The vulnerability (CVE-2025-8088) was previously unknown and abused alternate data streams to plant malicious executables.Financially motivated group RomCom was identified as one of the exploiters, while another group Paper Werewolf also used the same vulnerability.The attacks aimed to install malware giving attackers access to infected systems, including SnipBot and other known RomCom malware.ESET recommends users avoid all WinRAR versions prior to 7.13 due to various known vulnerabilities.
WinRAR, a widely used file compressor, has been exploited by two Russian cybercrime groups using a high-severity zero-day vulnerability. The attacks, which began in July 2025, backdoor computers by opening malicious archives attached to phishing messages, some of which are personalized.
Security firm ESET first detected the attacks on July 18, when its telemetry spotted a file in an unusual directory path. By July 24, ESET determined that the behavior was linked to the exploitation of an unknown vulnerability in WinRAR. A fix was released six days later, but not before the attackers had exploited the zero-day for weeks.
The vulnerability exploited by the attackers is a previously unknown path traversal flaw that causes WinRAR to plant malicious executables in attacker-chosen files paths %TEMP% and %LOCALAPPDATA%. The exploit abuses alternate data streams, a Windows feature that allows different ways of representing the same file path.
ESET has determined that one of the groups exploiting the vulnerability is RomCom, a financially motivated crime group operating out of Russia. RomCom has been active for years in attacks that showcase its ability to procure exploits and execute sophisticated tradecraft.
The zero-day vulnerability exploited by RomCom has been tracked as CVE-2025-8088. The same vulnerability was also being actively exploited by another Russian cybercrime group, Paper Werewolf, according to Russian security firm Bi.ZONE. Paper Werewolf delivered the exploits in July and August through archives attached to emails impersonating employees of the All-Russian Research Institute.
The ultimate goal of the attacks was to install malware that gave the attackers access to infected systems. The attacks followed three execution chains, with one chain used by RomCom executing a malicious DLL file hidden in an archive using a method known as COM hijacking. The DLL file decrypted embedded shellcode, which went on to retrieve the domain name for the current machine and compare it with a hardcoded value.
When the two matched, the shellcode installed a custom instance of the Mythic Agent exploitation framework. Another chain ran a malicious Windows executable to deliver a final payload installing SnipBot, a known piece of RomCom malware. A third chain made use of two other known pieces of RomCom malware, one known as RustyClaw and the other Melting Claw.
WinRAR vulnerabilities have previously been exploited to install malware. In 2019, a code-execution vulnerability from WinRAR was exploited shortly after being patched. In 2023, a WinRAR zero-day was exploited for more than four months before the attacks were detected.
The attacks highlight the ongoing threat posed by zero-day vulnerabilities and the ability of financially motivated cybercrime groups to exploit them. ESET recommends that users steer clear of all WinRAR versions prior to 7.13, which has fixes for all known vulnerabilities.
Related Information:
https://www.digitaleventhorizon.com/articles/A-High-Severity-WinRAR-Zero-Day-Exploited-by-Two-Russian-Cybercrime-Groups-for-Weeks-deh.shtml
https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/
Published: Mon Aug 11 22:08:34 2025 by llama3.2 3B Q4_K_M
