Critical WinRAR Zero-Day Vulnerability CVE-2025-8088 Exploited by Russian Hackers

by

A dangerous zero-day vulnerability in WinRAR has been actively exploited by Russian cybercriminals to distribute malware through sophisticated phishing campaigns. The security flaw, tracked as CVE-2025-8088, affects all WinRAR versions prior to 7.13 and allows attackers to execute malicious code when users extract seemingly harmless archive files.

In This Article show

How the WinRAR Zero-Day Attack Works

The vulnerability exploits a directory traversal weakness in WinRAR’s file extraction process. When users extract files from a specially crafted archive, the malware can bypass normal security restrictions and install itself in critical system directories.

Specifically, attackers can force malicious executables to be extracted into Windows autorun folders, including:

  • %APPDATA%MicrosoftWindowsStart MenuProgramsStartup (user-specific)
  • %ProgramData%MicrosoftWindowsStart MenuProgramsStartUp (system-wide)

Once placed in these locations, the malware automatically executes the next time the victim logs into their computer, giving hackers complete remote access to the compromised system.

RomCom Hackers Behind the Attacks

Security researchers from ESET have identified the Russian hacking group RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) as the primary threat actor exploiting this vulnerability. The group has been sending targeted spearphishing emails containing malicious RAR archives that exploit CVE-2025-8088.

RomCom is a sophisticated cybercriminal organization with connections to several major ransomware operations, including Cuba and Industrial Spy. The group has a history of weaponizing zero-day vulnerabilities and developing custom malware for data theft, credential harvesting, and maintaining persistent access to compromised networks.

Attack Campaign Details

The current attack campaign involves carefully crafted phishing emails designed to trick recipients into downloading and extracting malicious archive files. Once the victim opens the archive with an unpatched version of WinRAR, the RomCom backdoor is automatically installed without any visible indication to the user.

Immediate Action Required: Update WinRAR Now

Critical Warning: WinRAR does not include automatic updates, meaning millions of users worldwide may be running vulnerable versions without realizing it.

To protect your system immediately:

  1. Visit the official WinRAR website
  2. Download WinRAR version 7.13 or later
  3. Uninstall your current version completely
  4. Install the updated version with the security patch
  5. Verify the installation shows version 7.13 or higher

Which Systems Are Affected?

The vulnerability impacts multiple WinRAR components on Windows systems:

  • WinRAR (all versions before 7.13)
  • Windows versions of RAR command-line tool
  • UnRAR extraction utility
  • Portable UnRAR source code
  • UnRAR.dll library

Good news: Unix/Linux versions of RAR and UnRAR, as well as RAR for Android, are not affected by this security flaw.

Signs Your System May Be Compromised

If you’ve recently extracted RAR files and notice any of these warning signs, your system may be infected:

  • Unusual network activity or slow internet performance
  • New programs running at startup
  • Unexpected files in your Startup folders
  • Antivirus alerts about suspicious behavior
  • System performance degradation

Additional Security Recommendations

Beyond updating WinRAR, consider these security best practices:

  • Email vigilance: Be extremely cautious with email attachments, especially archives from unknown senders
  • Antivirus protection: Ensure real-time scanning is enabled and definitions are current
  • System monitoring: Regularly check your Startup folders for unauthorized programs
  • Backup strategy: Maintain offline backups to protect against ransomware
  • Alternative tools: Consider using other archive managers like 7-Zip as alternatives

Industry Response and Timeline

The vulnerability was discovered by security researchers Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. WinRAR quickly released version 7.13 to address the security flaw once notified by the research team.

According to ESET’s Peter Strýček, the company is preparing a detailed technical report about the exploitation methods used by RomCom, which will be published to help the cybersecurity community better understand and defend against these attacks.

Why This Attack Is Particularly Dangerous

This WinRAR zero-day represents a significant security threat for several reasons:

  • Widespread software: WinRAR has hundreds of millions of users worldwide
  • No auto-updates: Users must manually update, leaving many vulnerable
  • Social engineering: Archive files appear harmless and bypass many security filters
  • Persistence mechanism: Malware survives system reboots and remains hidden
  • Nation-state actors: Russian government-linked hackers are actively exploiting it

Conclusion

The active exploitation of CVE-2025-8088 by RomCom hackers represents a clear and present danger to organizations and individual users worldwide. With no automatic update mechanism in WinRAR, manual intervention is essential to protect against this sophisticated attack vector.

Don’t delay – update your WinRAR installation immediately and remain vigilant about suspicious email attachments. The cybersecurity landscape continues to evolve, and staying informed about the latest threats is crucial for maintaining robust digital security.

Stay safe, and remember: when it comes to cybersecurity, prevention is always better than recovery.