We all have it. That little stack of purple, blue, and green books sitting on our desktop.

For two decades, WinRAR has been the reliable workhorse of the PC world. We laughed at the “40-day trial” pop-up that never actually expired. We treated it like comfortable old furniture. It wasn’t cool, but it worked.

But that “infinite trial” mentality has just come back to haunt us.

On Tuesday, December 9, 2025, the U.S. government (CISA) issued an urgent “drop everything” warning: WinRAR is being weaponized. They officially added a critical flaw (CVE-2025–6218) to their “Known Exploited Vulnerabilities” catalog.

But that is only half the story.

New reports confirm that Russian cybercrime groups have been exploiting a second, even deadlier “Zero-Day” flaw for months. If you haven’t updated since last summer, you are walking into a double trap.

The “Fake Job Interview” Trap

While the government is worried about the December attacks, a Russian group known as RomCom (also tracked as Storm-0978) has been using a different, sneakier tactic since last Summer..

They are exploiting a separate vulnerability (CVE-2025–8088) using fake job applications.

Here is the real-world scenario discovered by ESET researchers:

1. An HR manager receives an email from a sender named “Simona” or “Jennifer Hunt” titled “Experienced Web3 Developer CV Attached”.
2. Attached is a file like Eli_Rosenfeld_CV.rar.
3. The victim clicks “Extract Here” to read the resume.
4. WinRAR extracts a harmless PDF resume. The victim thinks everything is fine.

But it’s not fine.

How the “Invisible” Backdoor Works

This attack uses a Windows feature called Alternate Data Streams (ADS) to hide malware inside the file structure of the archive.

When you unzip that “Resume,” WinRAR silently triggers a Path Traversal exploit. Without your permission, it jumps out of your Downloads folder and plants a malicious script (like Updater.lnk or Display Settings.lnk) directly into your Windows Startup folder (%Startup%) or your Temp folders (%TEMP%).

You see a PDF. The hacker sees a backdoor that opens automatically the next time you reboot your computer.

Who Is Attacking You?

This isn’t just one lonely hacker in a basement. It is a coordinated effort by major threats:

• RomCom (Storm-0978): A financially motivated Russian group targeting finance, defense, and logistics companies in Europe and Canada.
• Paper Werewolf: Another Russian group that was spotted buying this exploit on the dark web for $80,000 to target government organizations.
• Bitter APT & Gamaredon: State-sponsored groups using the earlier exploits to spy on government agencies.

The “Double” Trap: Why Updating Once Isn’t Enough

Here is the tricky part that catches most people off guard.

If you read the news in June 2025 and updated your WinRAR to version 7.12, you might think you are safe.

You are NOT safe.

Version 7.12 fixed the first bug (CVE-2025–6218), but it is still vulnerable to the RomCom “Zero-Day” (CVE-2025–8088). Hackers know this, and they are banking on you being one version behind.

The Fix (Do It Now)

The good news is that RARLAB (the creators of WinRAR) released a final fix on July 30, 2025. The bad news is that WinRAR does not update itself automatically.

You need to be on Version 7.13 or higher.

1. Open WinRAR.
2. Click Help > About WinRAR.
3. Look at the version number.

• If it says 7.13 or higher: You are safe.
• If it says 7.12, 6.x, or 5.x: You are VULNERABLE.

Go to rarlab.com immediately, download the latest installer, and run it. It will overwrite the old version and fix both security holes.