ALERT – Stop What You’re Doing & Update WinRAR Now

A zero-day flaw (CVE-2025-8088) is under active attack by Russian-linked groups Paper Werewolf and RomCom. Booby-trapped archives can plant malware in Windows startup folders—silently hijacking your system.

A Silent Breach Waiting in Your Downloads Folder

By an International Correspondent

It looks like any other compressed file—until it silently takes over your computer. That’s the reality of CVE-2025-8088, a path traversal zero-day flaw in WinRAR now confirmed to be under active exploitation.

The vulnerability allows attackers to plant malicious executables or shortcut files directly into Windows Startup folders when an unsuspecting user extracts a specially crafted archive. On the next system reboot, the malware launches automatically—giving intruders full persistence.

“This is not theoretical. We’ve observed real-world campaigns leveraging this bug to achieve system compromise within seconds of extraction,” warned Anton Cherepanov, Senior Malware Researcher at ESET.

Technical Breakdown of CVE-2025-8088

• Vulnerability Type: Path traversal in archive extraction
• Affected Versions: WinRAR ≤ 7.12 (Windows only)
• Impact: Remote code execution, persistence through Windows Startup folder injection
• Delivery Method: Malicious .RAR or .ZIP archive with embedded file paths like ..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.lnk
• Execution Trigger: Archive extraction with default WinRAR settings (no user privilege escalation needed)

Attackers exploit the bug by embedding relative paths in file headers that bypass directory restrictions. When extracted, the payload is written outside the intended destination folder—into critical system paths.

“This is a classic path traversal exploit, but weaponized with frightening precision. The payload doesn’t just land anywhere—it’s placed where Windows will run it automatically,” said Peter Košinár, ESET malware analyst.

The Adversaries: Paper Werewolf & RomCom

Security telemetry shows at least two active threat actors:

1. RomCom – A cyber-espionage group linked to phishing campaigns against defense, finance, and government entities in NATO-aligned countries.
2. Paper Werewolf (aka GOFFEE) – A Russian-aligned group observed targeting domestic institutions, often combining this zero-day with older flaws like CVE-2025-6218 for layered attacks.

Campaigns typically disguise archives as job applications, project tenders, or supplier invoices—themes chosen to bypass suspicion in corporate environments.

“We’ve seen lure files that are visually perfect—logos, formatting, even proper grammar. The moment the user unpacks the archive, the compromise is in motion,” noted Dmitry Volkov, CEO of threat intelligence firm BI.ZONE.

Patch Now – No Auto-Update Safety Net

WinRAR v7.13, released July 30, 2025, patches the flaw. However, because WinRAR lacks automatic updates, users must manually download and install the fix from rarlab.com.

Recommended Immediate Actions:

1. Update to v7.13 or newer.
2. Scan systems for unexpected files in Startup directories.
3. Block incoming .RAR attachments from untrusted sources.
4. Educate staff on phishing awareness—especially HR and procurement teams.

“The danger is not just the exploit—it’s the lag in patch adoption. WinRAR’s manual update model means many systems will remain exposed for months,” warned Brian Krebs, investigative cybersecurity journalist.

Why This Zero-Day Matters

This isn’t just another software bug—it’s an attack on trust in everyday tools. WinRAR is used by millions globally, from students to defense contractors. When a simple file extraction can become a system breach, the implications extend to national security, critical infrastructure, and personal privacy.

With nation-state groups involved, experts fear this vulnerability will be recycled in long-term cyber campaigns—similar to how EternalBlue was exploited years after its disclosure.