WinRAR Zero-Day Exploited by Russian-Linked Hackers RomCom and Paper Werewolf – Source: www.techrepublic.com

Cybersecurity researchers have identified an actively exploited flaw in WinRAR that attackers are using to plant long-term backdoors on targeted machines. The vulnerability, tracked as CVE-2025-8088, affects all Windows versions of WinRAR up to 7.12 and has been tied to two Russia-linked groups known as RomCom and Paper Werewolf.

The flaw, first reported by ESET on July 18, 2025, is a path traversal bug that leverages Window’s alternate data streams (ADS) feature to circumvent normal file extraction safeguards. This technique lets maliciously crafted RAR files place harmful content into protected system locations, including the Startup folder and temporary directories, so they can execute automatically when a user logs in.

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” WinRAR stated in its advisory.

RomCom used fake job application files

ESET researchers said the RomCom group disguised malicious archives as job application materials, targeting victims in finance, manufacturing, defense, and logistics industries across Europe and Canada. The packages appeared to contain a harmless document but concealed multiple ADS entries, some carrying malicious code and others filled with decoy data to mask suspicious behavior.

Anton Cherepanov, Peter Strýček, and Damien Schaeffer from ESET wrote: “By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations. This is at least the third time RomCom has used a zero-day vulnerability in the wild.”

ESET identified three distinct attack chains:

• Mythic agent via COM hijacking: Deploying a malicious DLL to %TEMP%, hijacking registry settings, and executing embedded shellcode.
• SnipBot variant: A modified PuTTY tool acting as a loader, running only when specific user activity patterns were met.
• RustyClaw/MeltingClaw downloaders: Fetching additional payloads from remote servers to extend compromise.

Paper Werewolf also exploited the flaw

The Russian cybersecurity firm BI.ZONE reported that the same vulnerability was being used by a separate actor, Paper Werewolf (also tracked as GOFFEE). According to the firm, the group reportedly sent phishing emails pretending to be staff from the All-Russian Research Institute, delivering RAR files that also took advantage of CVE-2025-6218, a different WinRAR flaw patched in June 2025.

According to BI.ZONE, “The vulnerability is related to the fact that when creating a RAR archive, you can include a file with alternative data streams, the names of which contain relative paths. These streams can contain arbitrary payload.”

The company suggested Paper Werewolf may have obtained the exploit from an underground seller named “zeroplayer,” who in early July offered a WinRAR zero-day for $80,000 on a Russian-language dark web forum.

Long history of WinRAR exploits

Due to WinRAR’s widespread use and lack of an auto-update feature, it has been a recurring target for cyberattacks. Similar issues have been abused before, such as the critical bug in 2019 and CVE-2023-38831, a zero-day from 2023 that attackers used for months before it was disclosed.

Both RomCom and Paper Werewolf demonstrated a sophisticated understanding of WinRAR’s internal workings, repurposing the software into a tool for highly targeted cyberattacks. The fact that two unrelated threat groups exploited the same flaw in close succession indicates a strong black-market demand for valuable zero-day vulnerabilities.

Security experts stress the urgency of patching, warning that vulnerable systems remain exposed to both known and yet-to-be-discovered exploits.

The flaw was patched within 24 hours of disclosure, with WinRAR 7.13 released on July 30, 2025. Because the program does not update automatically, users must download and install the new version themselves.

Curious how cybercriminals are turning AI into their attack tool of choice? Explore our deep dive into the 47% jump in breaches and the business behind modern malware.