A serious security flaw in WinRAR, a popular file compression tool used by hundreds of millions, has been exploited by cybercriminal groups for weeks. This zero-day vulnerability allowed hackers to plant malicious files on infected computers simply by opening a malicious archive attached to phishing emails. The attacks were first detected in July and have raised alarms because of how sophisticated and persistent they are.

What’s Going on with WinRAR Exploits

Security experts from ESET spotted the attacks on July 18. They noticed an unusual file in a strange folder. By July 24, they linked it to a new, unknown vulnerability in WinRAR. The flaw was in how WinRAR handled certain Windows features called alternate data streams. These streams let files have multiple ways of being stored, and the hackers used this to trick WinRAR into executing malicious code.

ESET quickly informed WinRAR developers, who released a patch within six days. But the fact that the vulnerability was exploited for so long shows how clever and resourceful these cybercriminal groups are. The main group behind the attacks is called RomCom, a Russian hacking group known for targeting financial gains. They used this zero-day, now tracked as CVE-2025-8088, to backdoor targeted systems.

The Tactics and the Groups Behind the Attacks

The RomCom group is known for its well-funded operations and ability to find and use zero-day bugs—flaws that software makers don’t even know about yet. They’ve used such vulnerabilities before, and this latest one shows they’re serious about their cyber operations. Interestingly, another group called Paper Werewolf, also tracked as GOFFEE, started exploiting the same flaw around the same time.

Paper Werewolf delivered malicious archives through emails pretending to be employees from a Russian research institute. Their goal was to install malware that would give them remote access to infected systems. It’s unclear if RomCom and Paper Werewolf are working together or if they independently found the same vulnerability. BI.ZONE, a Russian security firm, suggests Paper Werewolf might have bought the flaw from the dark web.

The attacks follow different methods, including tricks like COM hijacking, which tricks Windows into executing hidden malicious code. One chain involved a malicious DLL file that, when run, would check the machine’s identity and then install a remote access tool called Mythic Agent. Another chain involved malware called SnipBot, which is designed to evade forensic analysis and detection. A third chain used other known malware pieces, including RustyClaw and Melting Claw.

Why WinRAR and Its Flaws Are a Big Problem

WinRAR has been a target before. In 2019, a similar exploit was widely used before a patch was released. In 2023, another zero-day sat unnoticed for more than four months. The problem is that WinRAR doesn’t automatically update itself. Users have to manually download and install patches, which often doesn’t happen immediately.

This makes WinRAR a perfect tool for spreading malware. Many users stick with older versions, unaware of the security risks. Experts warn to avoid all versions below 7.13, which is the latest at the time of this writing. The new update fixes known vulnerabilities, but the history of zero-days shows hackers are always finding new ways to exploit the software.

It’s a reminder that even popular, trusted tools can have hidden flaws. Always keep your software up to date and be cautious of suspicious emails and attachments. As cybercriminals get more sophisticated, staying vigilant is more important than ever.

Inspired by

• https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/

Sources

• conde.digital
• cnevids.com
• welivesecurity.com
• microsoft.com
• bi.zone