Multiple Threat Groups Exploit Active WinRAR Vulnerability
▼ Summary
– CISA added a WinRAR vulnerability (CVE-2025-6218) to its catalog due to evidence of active exploitation by threat actors.
– The path traversal flaw, patched in June 2025, allows code execution on Windows if a user opens a malicious file or visits a malicious page.
– Three distinct threat groups (GOFFEE, Bitter, and Gamaredon) have been reported exploiting this vulnerability in targeted attacks.
– These attacks use phishing emails with malicious RAR archives to deploy persistent backdoors, trojans, and even destructive wiper malware.
– U.S. federal agencies are required to patch the vulnerability by December 30, 2025, to secure their networks against these threats.
A critical security flaw in the widely-used WinRAR software is now under active attack by multiple sophisticated threat groups, prompting urgent calls for users to update their systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added this vulnerability to its catalog of known exploited flaws, confirming that malicious actors are leveraging it in real-world campaigns. This vulnerability, identified as CVE-2025-6218, is a path traversal issue that can allow an attacker to execute arbitrary code on a victim’s Windows machine. Successful exploitation hinges on a user opening a malicious file or visiting a compromised webpage, after which an attacker could place files in sensitive system locations.
RARLAB, the developer of WinRAR, addressed the problem in version 7.12 released in June 2025. The company warned that the bug could be used to plant files in areas like the Windows Startup folder, leading to automatic code execution when a user next logs into their computer. It is crucial to note that this flaw only impacts the Windows version of the utility; builds for Unix, macOS, and Android remain unaffected.
Security researchers from several firms have documented exploitation by three distinct threat actors. These groups are tracked as GOFFEE (also known as Paper Werewolf), the South Asia-focused Bitter APT, and the Russian Gamaredon group. Their campaigns demonstrate the vulnerability’s appeal for both espionage and disruptive operations.
One report detailed how the Bitter group weaponized the WinRAR flaw to establish persistence on a compromised host. Their attack involved a spear-phishing email containing a RAR archive. When opened, the archive deployed a malicious macro template into Microsoft Word’s global template path. This technique ensures the malicious code runs every time Word is launched, creating a persistent backdoor that evades standard email security measures blocking macros. The final payload is a sophisticated C# trojan capable of keylogging, capturing screenshots, stealing RDP credentials, and exfiltrating files.
Meanwhile, the Gamaredon hacking collective has used the same vulnerability in targeted phishing campaigns against Ukrainian entities. Their operations, focused on military, government, and political organizations, deliver malware known as Pteranodon. Security analysts characterize this not as opportunistic crime but as a structured, military-oriented espionage and sabotage effort likely coordinated by Russian state intelligence. In a significant escalation, Gamaredon has also paired this vulnerability with another WinRAR flaw (CVE-2025-8088) to deploy a new data-wiping tool called GamaWiper, marking a shift from pure espionage to include destructive attacks.
In response to the active threats, CISA has mandated that all Federal Civilian Executive Branch agencies apply the necessary patches by December 30, 2025. For all users and organizations, the imperative is clear: updating to WinRAR version 7.12 or later is an essential step to mitigate this immediate risk.
(Source: The Hacker News)
