ESET identified active exploitation of a WinRAR zero-day vulnerability (CVE-2025-8088) by two Russian cybercrime groups, RomCom and Paper Werewolf, with initial detection on July 18 and subsequent notification to WinRAR developers on July 24, leading to a fix six days later.
On July 18, ESET’s telemetry systems recorded an unusual file path, triggering an investigation. By July 24, ESET had determined that this anomalous activity stemmed from the exploitation of an unknown vulnerability within WinRAR, a widely used file compression utility with an estimated 500 million installations globally. ESET communicated this discovery to WinRAR developers on the same day. WinRAR subsequently released a patch addressing the vulnerability six days following ESET’s notification.
The identified vulnerability, now designated as CVE-2025-8088, exploited Windows’ alternate data streams feature. This specific feature allows for multiple ways to represent a single file path. The exploit leveraged this functionality to trigger a previously unknown path traversal flaw. This flaw enabled WinRAR to place malicious executable files into specific attacker-chosen directories, namely %TEMP% and %LOCALAPPDATA%. These directories are typically restricted by Windows due to their capacity to execute code, making their manipulation a significant security bypass.
ESET attributed the observed attacks to RomCom, a financially motivated cybercrime organization operating from Russia. This group has been consistently active for several years, demonstrating a capacity to acquire and deploy exploits, alongside executing sophisticated tradecraft in their cyber operations. The exploitation of CVE-2025-8088 by RomCom underscores their commitment to investing substantial resources into their cyber operations. Anton Cherepanov, Peter Strýček, and Damien Schaeffer from ESET noted, “By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations. This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks.”
CVE-2025-8088 was not exclusively exploited by RomCom. Russian security firm BI.ZONE independently documented active exploitation of the same vulnerability by a group it tracks as Paper Werewolf, also known as GOFFEE. BI.ZONE also reported that Paper Werewolf exploited CVE-2025-6218, a separate high-severity WinRAR vulnerability that had received a patch approximately five weeks prior to the fix for CVE-2025-8088.
BI.ZONE reported that Paper Werewolf distributed exploits in July and August. These exploits were delivered through archives attached to email messages impersonating employees of the All-Russian Research Institute. The objective of these attacks was the installation of malware, providing Paper Werewolf with unauthorized access to compromised systems. While ESET and BI.ZONE made independent discoveries, any connection between the groups or the origin of their exploit knowledge remains unconfirmed. BI.ZONE has speculated that Paper Werewolf may have obtained the vulnerabilities through a dark market crime forum.
ESET’s analysis of the attacks identified three distinct execution chains. One chain, specifically observed in attacks targeting a particular organization, involved a malicious DLL file concealed within an archive. This DLL was executed using a technique known as COM hijacking, which caused it to be launched by legitimate applications such as Microsoft Edge. The DLL file within the archive decrypted embedded shellcode. This shellcode subsequently retrieved the domain name of the current machine and compared it against a hardcoded value. If a match occurred, the shellcode proceeded to install a custom instance of the Mythic Agent exploitation framework.
A second execution chain involved a malicious Windows executable that delivered SnipBot, a known piece of RomCom malware, as its final payload. This variant of SnipBot incorporated anti-analysis mechanisms, terminating its execution when opened within an empty virtual machine or sandbox environment, a common practice used by malware to evade forensic examination by researchers.
The third execution chain utilized two other established pieces of RomCom malware: RustyClaw and Melting Claw. WinRAR vulnerabilities have been exploited for malware distribution previously. A code-execution vulnerability identified in 2019 was widely exploited shortly after its patch release. In 2023, a WinRAR zero-day remained undetected and exploited for over four months before discovery.
WinRAR’s substantial user base, combined with its lack of an automated update mechanism, renders it an effective vehicle for malware propagation. Users must manually download and install patches to secure their systems. ESET also confirmed that the Windows versions of the command-line utilities, UnRAR.dll, and the portable UnRAR source code are also susceptible to vulnerabilities. Users should update to WinRAR version 7.13 or later, which, at the time of this report, was the most current version and included fixes for all known vulnerabilities.
