Two groups exploit WinRAR flaws in separate cyber-espionage campaigns

Two different threat actors, including a Russia-aligned cyber-espionage group, exploited vulnerabilities in the popular WinRAR file-archiving software this summer, researchers have found.

Slovak cybersecurity firm ESET said in a report on Monday that Russia-aligned RomCom, also tracked as Storm-0978, was the first to exploit a newly discovered flaw in WinRAR, tracked as CVE-2025-8088. The vulnerability, which allows attackers to execute code on a victim’s system after getting them to open a malicious archive file, was patched on July 24 — just six days after ESET discovered it.

RomCom spearphished people at financial, manufacturing, defense and logistics companies in Europe and Canada, the report said. The attackers sent emails containing a malicious résumé file, hoping recipients would open it, but ESET said it could not confirm any successful compromises. According to the company, the targeted industries match the usual focus of Russian-backed espionage groups, indicating a likely geopolitical motive.

“This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild,” researchers said.

In 2023, the group targeted European defense and government entities using a Microsoft Word flaw, and in 2024, it used a previously unknown Firefox bug to deploy its backdoor malware.

In a separate report last week, researchers at Russian cybersecurity firm BI.ZONE said the little-known group Paper Werewolf, also tracked as Goffee, exploited a zero-day flaw along with a known vulnerability in WinRAR in recent attacks on Russian organizations.

ESET said on Monday that the zero-day cited in BI.ZONE’s report appears to be the same WinRAR bug uncovered during the RomCom research.

“This second threat actor began exploiting CVE-2025-8088 a few days after RomCom started doing so,” ESET said, adding that it was aware the vulnerability has also been exploited by another group and was independently discovered by Russian researchers.

BI.ZONE suspects that Paper Werewolf may have acquired a zero-day exploit for WinRAR on a Russian-language darknet forum, where it was reportedly sold for $80,000.

The previously known WinRAR bug in the BI.ZONE report, tracked as CVE-2025-6218, was fixed in June. It allows attackers to run arbitrary code with the same privileges as the user if they open a booby-trapped file or visit a compromised website.

According to BI.ZONE, Paper Werewolf’s attacks in July and August targeted Russian organizations through phishing emails impersonating employees of the All-Russian Research Institute. The emails carried malicious RAR archives that, once opened, exploited the vulnerabilities to gain access to victims’ systems.

BI.ZONE did not disclose details about the targeted organizations or whether the attacks were successful. The Moscow-based company was previously sanctioned by the European Union as part of its strategy to counter Russian hybrid threats.

It is not clear if RomCom and Paper Werewolf are connected. Researchers have not responded to a request for comment at the time of publication.

Paper Werewolf has not been linked to any known nation-state. The group is known for phishing campaigns against Russian institutions, using malicious attachments disguised as official documents. In April, Kaspersky reported that the group used custom malware, PowerModul, to steal files from flash drives connected to Russian computers.

Although espionage is believed to be Paper Werewolf’s main goal, BI.ZONE reported at least one incident in which the group disrupted operations within a compromised network.