ANOTHER WinRAR 0-Day: Don’t Patch Now — Uninstall It!
Old, bug-prone app relies on you to go look for update files.
Venerable file compression-cum-archiving tool suffers yet another exploited vulnerability, causing the sole developer to issue a patch. Is it time to ditch WinRAR?
Yes! Here’s why: Eugene Roshal (pictured) doesn’t believe in automatic updates. In today’s SB Blogwatch, we can’t believe it’s still like that—in 2025.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fiz.
Zero Day — Zero Clue
What’s the craic? Bill Toulas reports: Details emerge on WinRAR zero-day attacks that infected PCs with malware
“WinRAR does not contain an auto-update feature”
A recent WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day attacks by the Russian ‘RomCom’ hacking group to drop different malware payloads. RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage threat group with a history in zero-day exploitation.
…
ESET’s report explains that the malicious RAR archives include numerous hidden ADS (Alternate Data Stream) payloads that are used to hide a malicious DLL and Windows shortcut, which are extracted into attacker-specified folders when the targets open the archive. [There are] three distinct attack chains, all delivering known RomCom malware families.
…
WinRAR does not contain an auto-update feature: … Users need to manually download and install the latest version.
And a second malware group joined in soon after. Daryna Antoniuk adds: Two groups exploit WinRAR flaws
“Paper Werewolf”
Russian cybersecurity firm BI.ZONE said the little-known group Paper Werewolf, also tracked as Goffee, exploited … a known vulnerability in WinRAR in recent attacks on Russian organizations. ESET said [this] appears to be the same WinRAR bug. … BI.ZONE suspects that Paper Werewolf may have acquired [the] exploit for WinRAR on a Russian-language darknet forum, where it was reportedly sold for $80,000.
…
It is not clear if RomCom and Paper Werewolf are connected. … Espionage is believed to be Paper Werewolf’s main goal. [It] has not been linked to any known nation-state. The group is known for phishing campaigns against Russian institutions, using malicious attachments disguised as official documents.
Horse’s mouth? Anton Cherepanov, Peter Strýček, Damien Schaeffer and Peter Košinár: Update WinRAR tools now
“UNC2596”
If you use WinRAR or other affected components such as the Windows versions of its command line utilities, UnRAR.dll, or the portable UnRAR source code, upgrade immediately to the latest version. … The vulnerability allows hiding malicious files in an archive, which are silently deployed when extracting. Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and Mythic agent. This campaign targeted financial, manufacturing, defense, and logistics companies in Europe and Canada.
…
RomCom (also known as … UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. … We attribute the observed activities to RomCom with high confidence based on the targeted region, TTPs, and malware used. … We would like to thank the WinRAR team for its cooperation and quick response, and recognize its effort in releasing a patch within just one day.
People still use WinRAR? DanNeely is in two minds:
7-Zip … has read only support for rar files. If for some reason you need to create or modify them, … you need a different tool. … I’m hard pressed to think of any good reasons to do so. … Without an auto-updater I’m wondering if I should uninstall it.
And it’s closed source. u/C0rn3j phlagellates a passed pony: [You’re fired—Ed.]
Every time I point out WinRAR is a Russian-made program that you can’t see the source code of, I get yelled at. … Will people finally start using 7-Zip instead, which is open source?
Don’t care for 7-Zip, though? Heed OrangeTide’s suggestion:
I like the PeaZip UI. Plus it’s available for Mac, Linux, and Windows … (admittedly the UI feels out of place on a Mac, at least it works). PeaZip is just a front-end for several command-line compressors, rather than being fully integrated like 7zip.
…
If you find yourself doing repetitive compression tasks, you can do some automation with PeaZip that isn’t possible with 7-Zip. Usually simple things like splitting archives while naming them in a specific pattern or adding an extra file to each archive.
In fact, you might not need anything. Here’s starglider:
Win11 has native .rar support now, so there isn’t much of a reason to be running winrar at this point. Unless you’re still on 10, of course.
Wait. Pause. How big a deal is this? u/MBILC reminds us how the scrotes get you to open the file:
This still involves someone being spear phished and having to download something they shouldn’t. … This type of person would get infected anyways even if they used 7zip or something else.
And that one in the corner wonders aloud:
Perhaps it has been too long since I sent out a CV [résumé], but since when has receiving a dot-rar file for a CV been considered normal and benign? Or a dot-zip … or any other kind of archive?
…
Is this just another one of those “Windows by default doesn’t show the actual extension, but everybody forgets this? … Although, yes, you do hope that unpacking an archive is a safe thing to do.
Meanwhile, are you feeling some déjà vu? Alvar “Miles” Udell sure is:
Has WinRAR become the new Adobe Flash?
And Finally:
A new direction for the Badger-Badger-Badger guy
Jonty says, “Best with headphones.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
