Ticker

6/recent/ticker-posts

WinRAR Zero-Day CVE-2025-8088: How Two Hacker Groups Used It for Stealthy Backdoors — What You Must Know

TechAiBro November 29, 2025


WinRAR Zero-Day CVE-2025-8088


If you use WinRAR on Windows, this alert is for you. In July 2025, security researchers discovered a severe zero-day vulnerability in WinRAR, which was actively exploited by two crime groups. The exploit let attackers deliver persistent backdoors simply when a victim opened a malicious RAR file. In this blog post, we break down what happened, how the attacks worked, who was behind them, and — most importantly — what you should do to stay safe.

What Went Wrong — A Zero-Day in WinRAR

  • On July 18, 2025, security firm ESET detected suspicious behavior on systems where a file was being extracted into unusual directory paths.
  • Further investigation revealed a previously unknown vulnerability in WinRAR — now officially tracked as CVE-2025-8088 — that was being exploited in the wild.
  • The vulnerability was a path-traversal flaw combined with abuse of Windows' Alternate Data Streams (ADS). This allowed malicious archives to place executables or shortcut files outside the user's chosen extraction folder — including in system or startup directories that can auto-execute code.

How the Exploit Worked — From Archive to Backdoor

The mechanics are surprisingly simple, which made this vulnerability dangerous:

  • Attackers crafted RAR archives containing hidden ADS entries — in addition to seemingly harmless documents (e.g. a “CV” or a “job application”). When the archive was opened or extracted via WinRAR (version ≤ 7.12), the exploit triggered directory-traversal, letting it write files to protected locations such as %TEMP%, %LOCALAPPDATA%, or even the Windows Startup folder.
  • The malicious payloads could be DLLs, executables, or Windows shortcut files (.LNK) that would execute on system startup or when specific legitimate applications (like browsers) ran — often without the user realizing anything suspicious.
  • The attackers used this to install known malware/backdoors — including variants of SnipBot, RustyClaw, and a custom instance of Mythic Agent.

Because WinRAR does not auto-update, many users remained vulnerable simply because they didn’t manually upgrade. 

Who Exploited It — Two Criminal Groups

At least two distinct Russia-linked groups were found exploiting CVE-2025-8088:

  • RomCom: According to ESET, RomCom began exploiting the vulnerability around July 18, 2025. Their spear-phishing emails disguised malicious archives as job applications or resumes. Their targets: companies in finance, manufacturing, defense, and logistics across Europe and Canada.
  • Paper Werewolf (also known as GOFFEE): Independently identified by Russian cybersecurity firm BI.ZONE, this group used the same vulnerability (and sometimes another recent WinRAR flaw, CVE-2025-6218) to target Russian organizations. Their delivery method was similar phishing emails, with booby-trapped RAR attachments.

It remains unclear whether these groups shared exploit code or obtained it independently — possibly via underground criminal markets.

A Pattern of Exploits — Not the First Time for WinRAR

This isn’t WinRAR’s first security misadventure:

  • In June 2025 — just weeks before CVE-2025-8088 was exploited — another path-traversal vulnerability in WinRAR (CVE-2025-6218) was patched. That flaw also allowed malicious archives to overwrite files outside the intended directory upon extraction.
  • Historically, WinRAR has been targeted for similar issues, which means that relying only on its popularity or “legacy trust” can be risky.

The core problem: WinRAR’s widespread use + lack of auto-update = a perfect recipe for exploitation. Many users never patch or update — making them vulnerable long after a fix is released. 

What You Should Do Right Now — Security Measures

If you're using WinRAR (on Windows), here are urgent steps you should take:

  1. Upgrade to the latest version — The patched version is WinRAR 7.13, released on July 30, 2025. Users must manually download and install the update, as WinRAR does not auto-update. 
  2. Be cautious with unsolicited archives — Avoid opening RAR attachments from unknown or untrusted email senders. Especially be wary of attachments disguised as resumes, job applications, or business documents.
  3. Consider alternative archive tools — If possible, use archive tools with automatic updates or less risky extraction behavior. Or avoid extracting archives directly from email clients.
  4. Use real-time malware protection and implement security hygiene — Keep antivirus/antimalware software active, and avoid enabling auto-run on startup directories unless necessary.
  5. For organizations: deploy the patch immediately across all endpoints — Given the widespread exploitation and high severity (path-traversal + remote code execution), delaying patching can invite serious security incidents.

Conclusion

The exploitation of WinRAR’s CVE-2025-8088 shows how everyday utilities — ones we think of as safe and mundane — can turn into powerful weapons when a zero-day vulnerability is involved. Two distinct attacker groups, RomCom and Paper Werewolf, used this flaw to silently install backdoors on targeted systems — sometimes with just a simple RAR archive and an unsuspecting user.

If you still rely on WinRAR, it’s time to update, stay alert, and reassess how you handle archive files, especially from unknown sources.

As HackersKing, your trusted source for the latest in tech and business news — we urge you: stay vigilant, stay updated, and stay secure. The smallest click can open a door — make sure it isn’t one for hackers.
Tags:
TechAiBro

Posted by: TechAiBro

TechAIBro: Your trusted source for the latest tech news, insightful blogs, and expert analyses. We deliver accurate, timely updates on innovations, trends, and solutions shaping the tech world. Stay informed with our easy-to-read, engaging content designed to keep tech enthusiasts and professionals ahead in the ever-evolving digital landscape.