Winrar exploit

WinRAR Exploit Leveraged by Two Cybercrime Groups in Global Attacks

WinRAR vulnerability exploited by two different groups has recently come to light, forcing the popular file compression tool to release a crucial update. On July 30, 2025, WinRAR issued version 7.13 Final to patch a critical flaw identified as CVE-2025-8088. This vulnerability, a path traversal flaw in the Windows version of the software, allowed attackers to execute arbitrary code by crafting malicious archive files. The consequence? Two distinct cybercriminal groups took advantage of this security hole in separate malware campaigns, targeting organizations across multiple regions.

A critical flaw in WinRAR, one of the world’s most widely used file compression tools, has been actively exploited in recent cyberattacks by at least two separate threat groups, researchers have confirmed.
The bug, identified as CVE-2025-8088, is a path traversal vulnerability affecting WinRAR on Windows. By tricking users into opening specially crafted archive files, attackers can place malicious files outside of the intended extraction folder—granting them a way to execute arbitrary code on the victim’s system. Malwarebytes Blog

Two Campaigns, Two Different Targets

The first wave of attacks has been attributed to RomCom, a Russia-aligned threat group. Between July 18 and July 21, RomCom distributed booby-trapped archives via phishing emails disguised as job applications. Once opened, the files dropped malware into startup folders and sensitive Windows directories. Targets included financial, defense, manufacturing, and logistics organizations in Europe and Canada.

Meanwhile, a second group—known as Paper Werewolf—deployed the same vulnerability in July against Russian entities. Researchers observed phishing campaigns where attackers masqueraded as employees of a research institute, sending fraudulent letters allegedly from a government ministry.

At the time of these intrusions, the flaw was still a zero-day, meaning no official fix was available.

Patch Released, But Risk Remains

On July 30, 2025, WinRAR released version 7.13 Final, which addresses the vulnerability. However, security experts warn that other cybercriminals may soon incorporate the exploit into new malware campaigns, especially by embedding it in fake software downloads.

How to Stay Protected

Users are strongly urged to update immediately to the latest version of WinRAR. To check your version, open the program and navigate to Help > About WinRAR.

In addition, following standard security practices can significantly reduce risk:

  • Keep all software and operating systems updated.
  • Use reputable, real-time anti-malware with web protection.
  • Download programs only from trusted vendor sites.
  • Treat unexpected email attachments with caution—verify their authenticity before opening.
  • Avoid interacting with files from unknown or suspicious sources.

As cybercriminals continue to weaponize popular tools, staying proactive with updates and cautious online behavior remains the best defense.