A critical zero-day vulnerability in the popular WinRAR file compression software has been actively exploited by two Russian cybercrime groups. These groups have been using the flaw to deploy backdoors on computers that open malicious archive files attached to phishing emails, some of which are specifically tailored to their targets.
The attacks were first identified in mid-July when unusual file behavior was detected, leading to the discovery of an unknown vulnerability in WinRAR. This software, with an extensive user base of approximately 500 million, was promptly patched six days after the vulnerability was reported to its developers.
The exploit leverages a Windows feature known as alternate data streams to trigger a previously unknown path traversal flaw. This allows the attackers to install malicious executables in sensitive system directories, typically protected from unauthorized code execution.
The cybercrime group RomCom, known for its sophisticated operations and based in Russia, has been identified as one of the perpetrators. This is not the first time RomCom has used a zero-day vulnerability, emphasizing its focus on acquiring and utilizing exploits for targeted attacks. The vulnerability in question has been cataloged as CVE-2025-8088.
Interestingly, RomCom is not alone in exploiting this flaw. Another Russian group, tracked as Paper Werewolf or GOFFEE, has also been exploiting the same vulnerability. Additionally, this group has been leveraging another high-severity WinRAR vulnerability, CVE-2025-6218, which was patched just weeks before the current issue was addressed.
