Russian hackers exploit WinRAR zero-day vulnerability to attack Europe and Canada
Two groups of Russian hackers have exploited the WinRAR zero-day vulnerability to spread malware via phishing emails, targeting carefully selected targets.
Quick summary:
WinRAR vulnerability CVE-2025-8088 has been exploited for weeks, affecting millions of users.
Two Russian hacker groups, RomCom and Paper Werewolf, exploited the vulnerability to spread malware.
Attack techniques include COM hijacking, SnipBot installation, RustyClaw and Melting Claw.
WinRAR does not update automatically, need to upgrade to version 7.13 to avoid risks.
CVE-2025-8088 vulnerability and how to exploit it
The popular file compression software WinRAR has just patched a critical vulnerability CVE-2025-8088 after it had been exploited in the wild for weeks. The path traversal vulnerability takes advantage of Windows’ alternate data streams feature, allowing malicious files to be unpacked into system folders like %TEMP% or %LOCALAPPDATA – which could potentially execute code.
ESET detected signs of the attack on July 18 when it detected unusual files in strange paths. Just six days after being notified, WinRAR released a patch on July 30 (version 7.13).
RomCom and Paper Werewolf Group jointly exploit
ESET identified the RomCom group – a financially motivated cybercriminal group with a long history of operations in Russia – as being behind part of the attack campaign. This is the third time the group has used a zero-day vulnerability in a targeted campaign.
Notably, Russian cybersecurity firm Bi.ZONE said that another group, Paper Werewolf (also known as GOFFEE), was also exploiting CVE-2025-8088 in parallel. Paper Werewolf also exploited CVE-2025-6218, another WinRAR vulnerability patched five weeks earlier, through emails impersonating employees of the All-Russian Research Institute to install malware on victim systems.
It is not yet clear whether the two groups are related or purchased information from the same source on the black market.
Sophisticated attack chain
According to ESET, RomCom deploys three main attack chains:
COM hijacking: Malicious DLL files in compressed files are triggered by applications like Microsoft Edge, decoding shellcode to check machine information and installing the Mythic Agent attack tool if appropriate.
Executable Payload: Runs a Windows executable file to install SnipBot, a spyware that blocks analysis in a virtual environment.
Multi-layered malware: Uses other malware like RustyClaw and Melting Claw to maintain access and control.
The risk of slow WinRAR updates
WinRAR has been the target of hackers many times due to its large number of users (about 500 million) and the lack of automatic updates. Users have to download and install patches themselves, leaving many systems vulnerable for a long time.
ESET recommends avoiding using any WinRAR versions prior to 7.13 and updating immediately to fix all known vulnerabilities.
