A flaw in WinRAR utility could, if left unpatched, allow cybercriminals to deploy malware via malicious archives and phishing campaigns.

What happens when a ubiquitous little file archival/unzipping tool lays dormant in millions of Windows computer systems around the world, un-updated for years — and then suddenly a high criticality zero day exploit is suddenly unleashed on the unsuspecting world?

The tool being referred to is Winrar, and a critical zero-day vulnerability (CVE-2025-8088, CVSS score 8.8) in the widely used file archiving tool has recently been exploited in active cyberattack campaigns, putting millions of systems at risk.

The software flaw is a path traversal vulnerability affecting Windows versions and their software components, such as the UnRAR.dll and command-line utilities.

This vulnerability allows attackers to craft malicious archive files that appear harmless but contain hidden alternate data streams (ADSes) that deploy malware during extraction.

Discovered by ESET researchers in mid-July 2025, and promptly patched in WinRAR version 7.13 by end-July, the vulnerability enables attackers to silently write malicious files outside the intended extraction folder — such as placing payloads in the Windows startup directory — enabling persistence through automatic execution upon system boot.

The Russia-aligned cyber threat group RomCom has been observed exploiting this zero-day in targeted spear-phishing campaigns aimed at financial, manufacturing, defense, and logistics firms across Europe and Canada. The attacks use resume-themed lures to trick victims into opening booby-trapped RAR attachments. Upon extraction, malicious DLLs and shortcut (LNK) files are deployed; these launch backdoor malware variants including SnipBot, RustyClaw, and Mythic agent, enabling extensive remote control and data exfiltration capabilities.

Additionally, another Russian group known as Paper Werewolf had reportedly leveraged this vulnerability alongside a related directory traversal bug patched in June 2025 to target Russian organizations. The rapid weaponization of this long-dormant yet widespread tool highlights the severe risk posed when critical software remains un-updated.

The incident underscores the need for prompt patching, and caution against opening unsolicited archive attachments, especially in spear-phishing contexts.