DIGITAL LIFE

WinRAR, Which You Totally Paid For, Was Under Siege By Zero-Day Attacks

Everyone's favorite file archiving utility isn't often on the news, but today is an exception. The WinRAR archiving utility has been the target of a couple of large-scale attacks that leverage a 0-day vulnerability.

The news was posted by security firm ESET, stating the attacks took place between the 18th and 21st of July, mainly targeting high-level businesses in Europe and Canada. Given that WinRAR's install base is estimated to be around 500 million, we'd wager there probably were more than a few successful attempts. The vulnerabilities have been patched in WinRAR 7.13, but a large number of installs remain vulnerable.

The attack was perpetrated by a Russia-aligned group that ESET calls RomCom. The group is known for previously performing large-scale exploits of multiple pieces of software including Microsoft Word, Firefox, and Thunderbird. This time around, RomCom made use of a zero-day vulnerability in WinRAR's path handling, that has since then been published as CVE-2025-8088.

The attacks are performed by e-mail phishing and spear-phishing, with messages impersonating various persons, sometimes personalized, in a bid to lure potential victims in. Given the nature of the vulnerability, all the victim would have to do is try and extract a poisoned archive attached to an e-mail, and then malicious backdoors are installed on the user's machine. From that point, remote attackers have mostly free reign over the machine, and can collect data for ransoms or use the machine for further intrusion.

ESET contacted WinRAR's devs on July 24th to alert them of the problem, after having spotted odd behavior on one machine. The base cause of the problem is that WinRAR didn't correctly handle relative paths like "..\\", letting an attacker install executable code in the TEMP and LOCAL\APPDATA system folders that are otherwise off-limits normally. From there, a malicious DLL is installed and leverages COM hijacking to get Edge to execute it, the backdoor is installed, and a C&C (command and control) server is pinged at srlaptop[.]com.

ArsTechnica notes that security firm Bi.ZONE claims that the group it nicknamed Paper Werewolf was also exploiting this vulnerability as well as CVE-2025-6218. The site speculates that the nature of the two-pronged attack could mean the vulnerability was available in a security black market and was bought by both groups. Perhaps the worst bit of this news is the fact that WinRAR doesn't have a built-in update mechanism, meaning that users need to somehow be made aware of the issue and then manually download and install the latest version. If you use or know anyone who uses WinRAR, let them know about this ASAP. And by the way, I paid for my copy of WinRAR many years ago.

https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

-----------------------------------------------------------------------------------------------------------------------------

-Meta Quest 3S 256GB | Batman: Arkham Shadow Included — 30+ Games Included with Meta Horizon+ Access with Starter Bundles — Play More for Less: https://amzn.to/4mM3QL7

-SanDisk 512GB microSD Express Card - Up to 880MB/s Read, Up to 650MB/s Write, 220MB/s Sustained Write, U3, C10 - SDSQXFN-512G-GN4NN: https://amzn.to/4mJROSu

-Motorola Edge 50 5G - 256GB 24GB (12GB RAM+12GB Ram Boost) 50MP Sony Camera Moto AI Ultrarresistencia militar - Green: https://amzn.to/4mdlHdM

mundophone