A newly discovered WinRAR zero-day vulnerability (CVE-2025-8088) has been actively exploited by advanced threat groups like RomCom and Paper Werewolf. The flaw affects RARLAB WinRAR for Windows, allowing attackers to perform path traversal via Alternate Data Streams (ADSes), enabling the placement of malicious DLLs, LNK shortcuts, and payloads in sensitive directories.
RomCom targeted organizations across Europe and Canada through spear-phishing campaigns delivering Mythic C2 agents, SnipBot malware, and RustyClaw downloaders.
Paper Werewolf, reportedly purchasing the exploit for $80,000, launched attacks against Russian industries, chaining CVE-2025-8088 with CVE-2025-6218 for broader exploitation.
These attacks demonstrate how zero-day exploits are weaponized and sold within cybercriminal markets, spreading quickly across multiple threat actors.
The WinRAR zero-day attacks primarily target:
Financial services (banks, fintech, trading platforms)
Manufacturing companies (supply chain & industrial operations)
Defense contractors and military-affiliated entities
Logistics and transportation firms
Regions most affected include Europe, Canada, and Russia, marking this as a global cyber threat with potential supply-chain impact.
Exploit manipulates WinRAR’s UnRAR.dll to execute path traversal attacks.
Malicious files extracted into Windows Startup folders ensure persistence.
Payload delivery chains used COM hijacking, registry key abuse, and obfuscated shellcode execution.
Archives were padded with dummy files and invalid paths to evade detection.
This makes CVE-2025-8088 a high-severity vulnerability with long-term risks if left unpatched.
Update WinRAR immediately to version 7.13 or later, which patches the flaw.
Avoid opening suspicious RAR/ZIP archives, even if they appear legitimate.
Monitor Windows Startup items for unfamiliar executables or DLLs.
Use advanced endpoint protection capable of detecting DLL hijacking and LNK exploitation.
Implement regular vulnerability management and maintain software patch inventories.
Phishing & Spear-Phishing Attachments (T1566.001)
User Execution via Malicious Files (T1204.002)
Registry Run Keys / Startup Folder Persistence (T1547.001)
Component Object Model (COM) Hijacking (T1546.015)
Obfuscation, Encryption & Masquerading (T1027, T1036.001)
Credential Theft from Web Browsers (T1555.003)
C2 Communication over Web Protocols (T1071.001)
This mapping underscores the sophistication of the exploit chains used by attackers.
Suspicious Filenames: msedge.dll
, ApbxHelper.exe
, RustyClaw.exe
, multiple fake CV/job submission RAR archives.
Domains: melamorri[.]com
, eliteheirs[.]org
, indoorvisions[.]org
, trailtastic[.]org
.
IP Addresses: 162[.]19[.]175[.]44, 194[.]36[.]209[.]127, 85[.]158[.]108[.]62.
Hashes: Multiple SHA1/MD5 indicators tied to malware droppers and payloads.
Organizations should immediately hunt for these IOCs within their environments.
The exploitation of CVE-2025-8088 in WinRAR highlights the urgency of patching popular software tools that are deeply embedded in enterprise workflows. With RomCom and Paper Werewolf actively weaponizing this flaw across industries, this zero-day has evolved into a serious global cyber threat.
Action Point: Update to WinRAR 7.13+ immediately and harden defenses against phishing, DLL hijacking, and obfuscated payloads.
Get through updates and upcoming events, and more directly in your inbox