What Happened

A serious zero-day vulnerability in WinRAR, the file compression tool millions rely on, was quietly exploited for weeks by two cyber-threat groups. They slipped malicious payloads inside seemingly innocent RAR files, gaining footholds on unsuspecting systems the moment users extracted them.

Who’s Behind It

The first group, RomCom, also known as Storm-0978, Tropical Scorpius or UNC2596, is a Russia-aligned cyber-espionage outfit. ESET issued a warning that RomCom used this WinRAR flaw starting July 18, 2025, targeting sectors like finance, defense, manufacturing and logistics across Europe and Canada.

A few days later, another actor, Paper Werewolf, also known as Goffee, began exploiting the same vulnerability, reportedly targeting organizations in Russia. BI.ZONE, a cybersecurity firm, noted the vulnerability may have been bought on the dark web for about $80,000.

How It Worked

The flaw, tracked as CVE-2025-8088, is a path-traversal exploit involving alternate data streams (ADSes). Attackers hid malicious DLLs and shortcut (LNK) files inside ADSes of a RAR archive. When victims extracted the file, the malware quietly deployed to places like the Windows Startup folder or temp directory, making persistence happen automatically.

The archives looked harmless, such as a resume or CV attached to a job application email, but beneath that disguise, the ADSes carried the sneaky payload out of sight.

What RomCom Dropped

ESET found that the dropped payloads included backdoors such as a Mythic agent, a SnipBot variant, and RustyClaw. These tools were crafted to give the threat actors long-term access and control, even though no confirmed breaches were reported among the targets.

Patch and Precautions

WinRAR rushed a fix, with version 7.13 patched and released by late July or early August 2025. Anyone still on version 7.12 or earlier was at risk.

ESET and BI.ZONE both stress the importance of updating immediately and reviewing antivirus logs for the threat indicators they published.

Why This Matters

Here’s the crunch: a tool people trust, WinRAR, was turned into a weapon with just a simple extract action. One misclick, and malware could slip in through your temp folder or startup sequence without a second glance.

The fact that two separate groups were using the same exploit within days shows how quickly such a vulnerability can become widespread.

Wrap-Up

RomCom and Paper Werewolf turned WinRAR from a basic utility into a backdoor delivery tool. The vulnerability was subtle, effective, and dangerous. Update to WinRAR 7.13 if you have not done so already. And be wary of unsolicited attachments, even if they appear harmless. Stay alert.