Ethical Hacking News
A high-severity zero-day vulnerability in WinRAR has been exploited by two Russian cybercrime groups for several weeks, leaving users vulnerable to malware attacks via phishing messages and malicious archives. The attack highlights the risks of widely used software without automated update mechanisms, emphasizing the need for increased cybersecurity awareness.
ESET has discovered a zero-day vulnerability (CVE-2025-8088) in WinRAR file compressor being exploited by Russian cybercrime groups. The exploit allows attackers to backdoor into compromised computers by opening malicious archives attached to phishing messages. The vulnerability was first detected on July 18 and a fix was released six days later, addressing the issue. Two Russian cybercrime groups, RomCom and Paper Werewolf (GOFFEE), have been linked to the attacks. ESET recommends avoiding all WinRAR versions prior to 7.13, which has fixes for known vulnerabilities. The exploitation highlights the risks of widely used software without automated update mechanisms.
A recent discovery by security firm ESET has revealed that two Russian cybercrime groups have been actively exploiting a high-severity zero-day vulnerability in the widely used WinRAR file compressor. This exploitation, which has been ongoing for several weeks, allows the attackers to backdoor into compromised computers by opening malicious archives attached to phishing messages.
The vulnerability, designated as CVE-2025-8088, was first detected on July 18, when ESET's telemetry spotted a file in an unusual directory path. By July 24, ESET had determined that the behavior was linked to the exploitation of this unknown vulnerability. A fix for WinRAR was released six days later, addressing the issue.
The exploit itself is sophisticated, as it abuses alternate data streams, a Windows feature that allows different ways of representing the same file path. By exploiting this feature, the attackers can trigger a previously unknown path traversal flaw that causes WinRAR to plant malicious executables in attacker-chosen files paths %TEMP% and %LOCALAPPDATA%. These directories are normally off-limits due to their ability to execute code.
ESET attributed the attacks to two Russian cybercrime groups: RomCom, which has been active for years in high-profile attacks showcasing its ability to procure exploits and execute sophisticated tradecraft; and Paper Werewolf (also tracked as GOFFEE), another group that had previously exploited a separate high-severity WinRAR vulnerability.
The RomCom group demonstrated significant effort and resources into the exploitation, which highlights its ongoing focus on acquiring and using exploits for targeted attacks. By exploiting this zero-day vulnerability, the attackers were able to install malware on infected systems and gain access to sensitive information.
In addition to the WinRAR vulnerabilities, ESET noted that Windows versions of the command line utilities UnRAR.dll and the portable UnRAR source code are also vulnerable. This means that users should avoid all WinRAR versions prior to 7.13, which has fixes for all known vulnerabilities. However, given the ongoing stream of WinRAR zero-days, this does not provide much assurance against future exploits.
The attacks observed by ESET followed three execution chains, each with distinct methods. One chain used COM hijacking to execute a malicious DLL file hidden in an archive. Another chain delivered a final payload that installed SnipBot, a known piece of RomCom malware. A third chain utilized two other pieces of RomCom malware, RustyClaw and Melting Claw.
The exploitation highlights the risks associated with widely used software, particularly those without automated mechanisms for installing updates. Users must actively download and install patches on their own, making them more vulnerable to exploits like this one.
In light of this recent discovery, it is essential for users to stay vigilant against phishing messages and other types of malicious archives. The fact that two groups have been exploiting this vulnerability simultaneously underscores the need for increased awareness and action in cybersecurity measures.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Cybersecurity-Crisis-The-High-Severity-WinRAR-0-Day-Exploitation-ehn.shtml
https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/
https://nvd.nist.gov/vuln/detail/CVE-2025-8088
https://www.cvedetails.com/cve/CVE-2025-8088/
Published: Mon Aug 11 22:01:15 2025 by llama3.2 3B Q4_K_M
