WinRAR: Security vulnerability attacked by two different groups
The vulnerability closed in WinRAR 7.13 was attacked independently by two different groups.
(Image: heise online / dmk)
Earlier this week, it became known that WinRAR version 7.13 closes a high-risk vulnerability that allows malicious code to be injected and executed. The gap has already been abused by two different criminal groups, as IT security researchers have now reported.
Malwarebytes employees write in a blog post that two cyber gangs attacked the vulnerability independently of each other when there was no update to close it – so it was a zero-day. It is a "path traversal" vulnerability that allows access to directories that are not actually accessible. Attackers can use manipulated archive files to provoke the error and thus inject and execute arbitrary code if victims unpack manipulated archives with vulnerable WinRAR versions (CVE-2025-8088 / EUVD-2025-23983, CVSS 8.4, risk "high").
Two cyber gangs attack vulnerability
Previously, the IT security company Eset had reported spearphishing emails with file attachments in RAR format. These carefully prepared archives have abused the vulnerability to install "RomCom" backdoors. Behind RomCom is a cyber gang linked to Russia, also known as Storm-0978, Tropical Scorpius or UNC2596. It is said to specialize in ransomware, data theft attacks and campaigns to steal access data.
According to Malwarebytes, these attacks took place between 18 and 21 July 2025 and targeted organizations in the manufacturing, defense and logistics sectors, particularly in Europe and Canada. In the phishing emails, the attackers pretended to be job applicants whose supposed application documents were included in the email attachments.
Videos by heise
A second cyber gang called "Paper Werewolf" also abused the vulnerability, reports Malwarebytes. However, it directed its attacks against Russian institutions. IT researchers discovered this targeted phishing campaign at the beginning of July. The attackers posed as employees of a Russian research institute and attached a supposed letter from a ministry to the emails. Malwarebytes assumes that other criminals will jump on the bandwagon and try to abuse the vulnerability.
On Monday of this week, it became clear that the update to WinRAR 7.13 seals the already attacked vulnerability. The older versions of RAR, UnRAR, portable UnRAR (source code) and UnRAR.dll are vulnerable to the vulnerability. The Unix and Android versions, however, are not affected. Anyone using WinRAR should definitely update to the latest version of the archive software.
(dmk)
