High-Severity Vulnerability Allows Persistent Backdooring

A high-severity zero-day vulnerability in the widely used WinRAR file compressor has been exploited by two Russian cybercrime groups, allowing them to plant malicious executables in attacker-chosen files paths. The attacks, which began in mid-July, were discovered by security firm ESET, which reported that the vulnerability was exploited by the RomCom group, a financially motivated crime group operating out of Russia.

ESET said it first detected the attacks on July 18, when its telemetry spotted a file in an unusual directory path. The firm notified WinRAR developers the same day, and a fix was released six days later. The vulnerability, which abused alternate data streams, a Windows feature that allows different ways of representing the same file path, triggered a previously unknown path traversal flaw.

The exploit allowed the attackers to install malicious executables in the %TEMP% and %LOCALAPPDATA% directories, which Windows normally makes off-limits due to their ability to execute code. The RomCom group has been active for years, showcasing its ability to procure exploits and execute sophisticated tradecraft.

ESET has tracked the zero-day vulnerability as CVE-2025-8088. The firm’s researchers noted that this is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks.

Interestingly, another group, tracked as Paper Werewolf or GOFFEE, was also exploiting the same vulnerability. According to Russian security firm Bi.ZONE, the group delivered the exploits through archives attached to emails impersonating employees of the All-Russian Research Institute. The ultimate goal was to install malware that gave the attackers access to infected systems.

While the discoveries by ESET and Bi.ZONE were independent of each other, it is unknown if the groups exploiting the vulnerabilities are connected or acquired the knowledge from the same source. Bi.ZONE speculated that Paper Werewolf may have procured the vulnerabilities in a dark market crime forum.

ESET observed three execution chains used by the RomCom group. One chain executed a malicious DLL file hidden in an archive using a method known as COM hijacking, which caused it to be executed by certain apps such as Microsoft Edge. The DLL file decrypted embedded shellcode, which installed a custom instance of the Mythic Agent exploitation framework.

A second chain ran a malicious Windows executable to deliver a final payload installing SnipBot, a known piece of RomCom malware. A third chain made use of two other known pieces of RomCom malware, one known as RustyClaw and the other Melting Claw.

WinRAR vulnerabilities have previously been exploited to install malware, with one code-execution vulnerability from 2019 coming under wide exploitation shortly after being patched. In 2023, a WinRAR zero-day was exploited for more than four months before the attacks were detected.

Given the seemingly unending stream of WinRAR zero-days, users are advised to steer clear of all WinRAR versions prior to 7.13, which has fixes for all known vulnerabilities. The firm also noted that Windows versions of the command line utilities UnRAR.dll and the portable UnRAR source code are also vulnerable.

The attackers’ use of alternate data streams to exploit the vulnerability is particularly concerning, as it allows them to bypass traditional security measures and install malware without being detected. The fact that the RomCom group has been able to procure and exploit multiple zero-day vulnerabilities in the past suggests a sophisticated and well-resourced operation.

In light of these findings, users are advised to take the following steps to protect themselves:

• Update to the latest version of WinRAR (7.13 or later)
• Avoid opening suspicious archives or attachments from unknown sources
• Use antivirus software to scan for malware
• Regularly update operating systems and software to ensure they have the latest security patches

By taking these precautions, users can reduce their risk of falling victim to these types of attacks and protect themselves from the potential consequences of malware infection.