High-severity WinRAR 0-day exploited for weeks by 2 groups

A severe zero-day vulnerability in the popular WinRAR file compression software has been actively exploited for several weeks by two distinct cybercrime groups operating out of Russia. These attacks involve backdooring systems that open malicious archives sent via phishing emails, some of which are tailored to individual users. Security firm ESET reported that it first discovered the exploitation on July 18, when unusual telemetry data revealed a file in an atypical directory path. By July 24, ESET confirmed that this behavior was associated with an unknown vulnerability in WinRAR, which boasts an extensive user base of approximately 500 million installations. ESET alerted the developers of WinRAR the same day, resulting in a fix being issued just six days later. The vulnerability exploited by the attackers leveraged alternate data streams, a feature in Windows that allows multiple representations of the same file path. This exploit triggered a previously unidentified path traversal flaw, enabling WinRAR to install malicious executables in locations such as %TEMP% and %LOCALAPPDATA%—directories that Windows typically restricts due to their execution capabilities. ESET identified the attacking group as RomCom, a financially motivated cybercrime organization known for its sophisticated tactics and resourcefulness. This group has a history of leveraging zero-day vulnerabilities and is now linked to the zero-day being tracked as CVE-2025-8088. According to ESET’s experts, this marks at least the third occasion RomCom has deployed a zero-day exploit, indicating their commitment to acquiring and utilizing such vulnerabilities for targeted attacks. Interestingly, RomCom is not alone in exploiting CVE-2025-8088. The Russian security firm Bi.ZONE reported that another group, referred to as Paper Werewolf or GOFFEE, is also taking advantage of this vulnerability. In addition to CVE-2025-8088, this group has been exploiting CVE-2025-6218, another serious WinRAR vulnerability that had been patched five weeks prior to the fix for the latest zero-day issue.