High-severity WinRAR 0-day exploited for weeks by 2 groups
12 days ago
- #cybersecurity
- #zero-day
- #WinRAR
- A high-severity zero-day vulnerability in WinRAR is being actively exploited by two Russian cybercrime groups.
- The vulnerability allows attackers to backdoor computers via malicious archives in phishing messages.
- ESET detected the attacks starting July 18, with a fix released by WinRAR developers on July 24.
- The exploit abuses Windows' alternate data streams to plant malicious executables in restricted file paths.
- The attacks are attributed to the RomCom group, known for financially motivated cyberoperations.
- RomCom has used at least three zero-day vulnerabilities in targeted attacks, showcasing their resources.
- Another group, Paper Werewolf (or GOFFEE), is also exploiting the same WinRAR vulnerability.
- Paper Werewolf was additionally exploiting a separate high-severity WinRAR flaw (CVE-2025-6218).