A high-severity zero-day in the commonly utilized WinRAR file compressor is under active exploitation by 2 Russian cybercrime groups. The attacks backdoor computer systems that open harmful archives connected to phishing messages, a few of which are individualized.

Security company ESET stated Monday that it initially found the attacks on July 18, when its telemetry identified a file in an uncommon directory site course. By July 24, ESET figured out that the habits was connected to the exploitation of an unidentified vulnerability in WinRAR, an energy for compressing files, and has actually a set up base of about 500 million. ESET informed WinRAR designers the exact same day, and a repair was launched 6 days later on.

Severe effort and resources

The vulnerability appeared to have incredibly Windows powers. It abused alternate information streams, a Windows function that permits various methods of representing the very same file course. The make use of mistreated that function to set off a formerly unidentified course traversal defect that triggered WinRAR to plant destructive executables in attacker-chosen file courses %TEMP% and %LOCALAPPDATA%, which Windows generally makes off-limits due to the fact that of their capability to carry out code.

ESET stated it has actually figured out that the attacks originated from RomCom, its tracking classification for an economically inspired criminal offense group running out of Russia. The well-resourced group has actually been active for several years in attacks that display its capability to obtain exploits and perform relatively advanced tradecraft. The zero-day the group utilized is now being tracked as CVE-2025-8088.

“By making use of a formerly unidentified zero-day vulnerability in WinRAR, the RomCom group has actually revealed that it wants to invest major effort and resources into its cyberoperations,” ESET’s Anton Cherepanov, Peter Strýček, and Damien Schaeffer composed. “This is at least the 3rd time RomCom has actually utilized a zero-day vulnerability in the wild, highlighting its continuous concentrate on obtaining and utilizing exploits for targeted attacks.”

Unusually, RomCom wasn’t the only group making use of CVE-2025-8088. According to Russian security company Bi.ZONE, the very same vulnerability was being actively made use of by a group it tracks as Paper Werewolf. Tracked as GOFFEE, the group was likewise making use of CVE-2025-6218, a different high-severity WinRAR vulnerability that got a repair 5 weeks before CVE-2025-8088 was covered.