WinRAR’s Zero-Day Mess: Two Russian Hacking Groups Exploited Critical Flaw Before Anyone Noticed

By

padlocks on cable

Photo by Felix Hanspach on Unsplash

For weeks, a zero-day vulnerability in WinRAR—a tool used by millions—was actively exploited to install malware. Here’s how two Russian cybercrime groups pulled it off… and why it matters.

If you’re one of the 500 million people using WinRAR, you might want to stop and check which version you’re running. A high-severity zero-day vulnerability made it way too easy for hackers to plant malware on computers—especially if you happened to open a sketchy archive from your inbox.

Security researchers from ESET first spotted the issue back on July 18. They noticed a suspicious file nestled in a place it shouldn’t be. Six days later, they traced that behavior to what turned out to be a previously unknown bug—now tracked as CVE-2025-8088—and alerted the folks at WinRAR. A fix came six days after that.

But by then, the damage may have been done.

Who’s behind it?

black and red laptop keyboard

Photo by Jeff Hardi on Unsplash

Two different Russian cybercrime groups were caught exploiting the flaw:

  • RomCom, a well-funded and experienced group known for using zero-days in targeted attacks.
  • Paper Werewolf (also called GOFFEE), tracked by Russian security firm BI.ZONE.

RomCom specifically went after victims using phishing emails with malicious WinRAR archives. Once opened, these files could land malware directly into protected parts of Windows systems like %TEMP% and %LOCALAPPDATA%, using clever tricks involving alternate data streams and path traversal flaws.

If that sounds technical—it’s because it is. But here’s the big idea: these attackers found a way around Windows’ usual safety gates and quietly let themselves in.

How did the attacks work?

ESET observed three different “execution chains” (a fancy way of saying infection methods). Here’s what they found:

  1. Targeted Implant via Microsoft Edge Hijack
    • A hidden DLL ran using a method called COM hijacking.
    • If the PC matched a hardcoded domain, it installed something called Mythic Agent, a powerful exploitation framework.
  2. SnipBot Delivered Like a Ninja
    • This one used a disguised Windows executable to drop known RomCom malware called SnipBot.
    • It could detect when it was being opened in a virtual machine and stopped working to avoid detection.
  3. RustyClaw and Melting Claw
    • These two pieces of malware were deployed in some attacks, both linked previously to RomCom’s toolkit.

Meanwhile, Paper Werewolf had its own playbook. According to BI.ZONE, it sent phishing emails impersonating employees from the All-Russian Research Institute. The attached malicious archives exploited not just CVE-2025-8088, but an earlier vulnerability CVE-2025-6218 too (patched five weeks earlier). The end goal? Install malware and gain ongoing access to infected computers.

How long did this go unnoticed?

Too long. The first signs came in mid-July. The patch for CVE-2025-8088 wasn’t released until six days after ESET’s report—on July 30. And in those weeks before and after, attackers had a valuable window to hit targets who hadn’t yet updated.

Worth noting: previous WinRAR zero-days have a bad track record of slipping under the radar for months. One in 2023 went undetected for four whole months. The biggest problem? WinRAR doesn’t automatically update. That means if you’re using anything older than version 7.13, you might still be vulnerable.

What should you do now?

computer monitor turned on near blue and white sky

Photo by David Schultz on Unsplash

Quick checklist:

  • ❗ Check your WinRAR version. Make sure you’re on version 7.13 or later.
  • 🛑 Avoid opening archive files from unknown or suspicious sources—especially ones delivered by email.
  • 🔄 Get into the habit of keeping software manually updated, especially tools like this that don’t auto-patch.
  • 🔍 Be cautious of files even when they look legit. Modern malware uses a lot of camouflage.

If you’re a developer or sysadmin using command-line WinRAR tools like UnRAR.dll or the portable UnRAR source, those are vulnerable too. So stay alert across the board.

The bigger picture

So why is this a big deal? Because tools like WinRAR sit quietly in the background of millions of machines. Most people never think about them until something breaks. That makes them ideal attack surfaces for cybercriminals who play a long game.

The fact that two independent, well-resourced groups separately found and exploited this vulnerability only deepens the concern. And the fact that detection took weeks—or longer—shows how stealthy these operations can be.

One thing’s clear: zero-days like this aren’t going away, and keeping old software around without updates is now an open invitation to attackers.

Stay tuned, patch early, and don’t open weird zip files.

Keywords: WinRAR zero-day, CVE-2025-8088, RomCom malware, Paper Werewolf, SnipBot, alternate data streams, COM hijacking, Mythic Agent, RustyClaw, Melting Claw, WinRAR update, cybersecurity threat, phishing archive attack, software patch, malware delivery, ESET, BI.ZONE

Read more of our stuff here!

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *