Core Viewpoint - The article discusses a security vulnerability in WinRAR, exploited by the Russian hacker group RomCom, which allows for the installation of backdoor programs through specially crafted documents. Users are urged to upgrade to the latest version to mitigate risks [1][2]. Vulnerability Details - WinRAR version 7.13, released on July 30, 2025, addresses a directory traversal vulnerability (CVE-2025-8088) that was previously exploited by hackers [1][2]. - The vulnerability was initially discovered by ESET on July 18, 2025, who reported it to WinRAR after observing attacks by RomCom [1][2]. Attack Methodology - Hackers create malicious WinRAR archives that contain payloads hidden within alternate data streams, tricking users into downloading and opening them [4]. - When users open these specially crafted archives, the payloads are automatically extracted to designated folders, often leading to the execution of malicious files upon system restart or user login [5]. Observed Attack Chains - ESET identified three distinct attack chains: 1. **Mythic Agent**: Utilizes a shortcut named Update.ink to execute msedge.dll, which facilitates command and control communication and payload delivery [6]. 2. **SnipBot**: Uses Display Settings.ink to run a modified version of PuTTY, which downloads additional payloads from the attacker’s server [6]. 3. **MeltingClaw**: Initiates with Settings.ink to download a DLL from the attacker’s server, which retrieves further malicious modules [7]. Additional Observations - A separate activity cluster named Paper Werewolf was also noted, utilizing the same vulnerabilities for attacks [7]. - WinRAR's developers, RARLAB, stated they were unaware of the exploitation details prior to the patch release and had not received user reports regarding the vulnerability [7].