Zero-Day in WinRAR Actively Weaponized by Multiple Threat Groups
Zero-Day in WinRAR Exploited by Multiple Threat Actors
CVE-2025-8088 Zero-Day Vulnerability Actively Weaponized
A newly discovered WinRAR zero-day vulnerability (CVE-2025-8088) has been actively exploited by advanced threat groups like RomCom and Paper Werewolf. The flaw affects RARLAB WinRAR for Windows, allowing attackers to perform path traversal via Alternate Data Streams (ADSes), enabling the placement of malicious DLLs, LNK shortcuts, and payloads in sensitive directories.
Who is Exploiting the WinRAR Zero-Day?
RomCom and Paper Werewolf Campaigns
RomCom targeted organizations across Europe and Canada through spear-phishing campaigns delivering Mythic C2 agents, SnipBot malware, and RustyClaw downloaders.
Paper Werewolf, reportedly purchasing the exploit for $80,000, launched attacks against Russian industries, chaining CVE-2025-8088 with CVE-2025-6218 for broader exploitation.
These attacks demonstrate how zero-day exploits are weaponized and sold within cybercriminal markets, spreading quickly across multiple threat actors.
Impacted Industries and Regions
Financial, Manufacturing, Defense, Logistics
The WinRAR zero-day attacks primarily target:
Financial services (banks, fintech, trading platforms)
Manufacturing companies (supply chain & industrial operations)
Defense contractors and military-affiliated entities
Logistics and transportation firms
Regions most affected include Europe, Canada, and Russia, marking this as a global cyber threat with potential supply-chain impact.
Technical Details of the Exploit
Path Traversal via Alternate Data Streams
Exploit manipulates WinRAR’s UnRAR.dll to execute path traversal attacks.
Malicious files extracted into Windows Startup folders ensure persistence.
Payload delivery chains used COM hijacking, registry key abuse, and obfuscated shellcode execution.
Archives were padded with dummy files and invalid paths to evade detection.
This makes CVE-2025-8088 a high-severity vulnerability with long-term risks if left unpatched.
Mitigation and Security Recommendations
How to Defend Against CVE-2025-8088
Update WinRAR immediately to version 7.13 or later, which patches the flaw.
Avoid opening suspicious RAR/ZIP archives, even if they appear legitimate.
Monitor Windows Startup items for unfamiliar executables or DLLs.
Use advanced endpoint protection capable of detecting DLL hijacking and LNK exploitation.
Implement regular vulnerability management and maintain software patch inventories.
MITRE ATT&CK Mapping
Key Techniques Used in Exploitation
Phishing & Spear-Phishing Attachments (T1566.001)
User Execution via Malicious Files (T1204.002)
Registry Run Keys / Startup Folder Persistence (T1547.001)
Component Object Model (COM) Hijacking (T1546.015)
Obfuscation, Encryption & Masquerading (T1027, T1036.001)
Credential Theft from Web Browsers (T1555.003)
C2 Communication over Web Protocols (T1071.001)
This mapping underscores the sophistication of the exploit chains used by attackers.
Indicators of Compromise (IOCs)
Files, Domains, and IPs Linked to the Attacks
Suspicious Filenames:
msedge.dll
,ApbxHelper.exe
,RustyClaw.exe
, multiple fake CV/job submission RAR archives.Domains:
melamorri[.]com
,eliteheirs[.]org
,indoorvisions[.]org
,trailtastic[.]org
.IP Addresses: 162[.]19[.]175[.]44, 194[.]36[.]209[.]127, 85[.]158[.]108[.]62.
Hashes: Multiple SHA1/MD5 indicators tied to malware droppers and payloads.
Organizations should immediately hunt for these IOCs within their environments.
Conclusion
WinRAR Zero-Day is a Critical Cybersecurity Threat
The exploitation of CVE-2025-8088 in WinRAR highlights the urgency of patching popular software tools that are deeply embedded in enterprise workflows. With RomCom and Paper Werewolf actively weaponizing this flaw across industries, this zero-day has evolved into a serious global cyber threat.
Action Point: Update to WinRAR 7.13+ immediately and harden defenses against phishing, DLL hijacking, and obfuscated payloads.
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox