RomCom and MeltingClaw: New WinRAR Exploits Target Users Worldwide
A sophisticated malware campaign is currently exploiting vulnerabilities in WinRAR, putting your systems at risk. Recent discoveries reveal two distinct, yet related, threat actors – romcom and MeltingClaw – are actively leveraging these weaknesses to deliver malicious payloads. Understanding these threats and taking proactive steps to protect yourself is crucial.
What’s Happening?
Researchers have identified a zero-day vulnerability (CVE-2025-8088) in WinRAR that allows attackers to execute code remotely. This means malicious actors can perhaps gain control of your computer simply by you opening a specially crafted RAR archive. A second vulnerability (CVE-2025-6218) is also being exploited in parallel attacks.
These attacks aren’t limited to a single group. Both RomCom and a separate cluster dubbed “Paper Werewolf” are actively exploiting these vulnerabilities. This indicates a widespread and coordinated effort to compromise systems globally.
Understanding the Threats: RomCom and MeltingClaw
Let’s break down what each threat actor is doing:
RomCom: This campaign utilizes a complex chain of events. It begins with a malicious RAR archive containing a shortcut (.lnk) file. when you open this shortcut, it launches a legitimate Windows process (complaint.exe, often associated with RustyClaw) which then downloads and executes a malicious DLL. This DLL is the key to further compromise, downloading and running additional malicious modules from the attacker’s servers.
MeltingClaw: This threat operates similarly, using a Settings.lnk file to launch Complaint.exe (RustyClaw). This then downloads a MeltingClaw DLL, which acts as a downloader for more malicious components hosted on the attacker’s infrastructure.
Essentially, both campaigns rely on tricking you into executing malicious code hidden within seemingly harmless archive files.
Why WinRAR?
You might be wondering why attackers are targeting WinRAR specifically. While Microsoft added native support for RAR files to Windows 11 in 2023,this support is limited. Manny users,notably those in professional settings,continue to rely on WinRAR for its advanced features and robust archive management capabilities. This widespread use makes it a prime target for attackers.
What You Need to Do Now
Protecting yourself requires immediate action.Here’s a checklist:
Update WinRAR Immediately: WinRAR does not automatically update. You must manually download and install the latest version from the official WinRAR website: https://www.win-rar.com/predownload.html. This is the most critical step.
Exercise Caution with Archives: Be extremely wary of opening RAR archives from unknown or untrusted sources. Even files from familiar senders should be scrutinized if they seem unexpected.
Keep Your System Updated: Ensure your operating system and all other software are up-to-date with the latest security patches.
Consider security Software: Employ a reputable antivirus or endpoint detection and response (EDR) solution to provide an additional layer of protection.
* Educate Yourself and Your Team: Raise awareness about the risks associated with opening archive files and the importance of keeping software updated.
What the developers Say
The developers of WinRAR have stated they were not initially aware of the specific details of the CVE-2025-8088 exploitation. They received technical information from security researchers to develop a patch,but haven’t seen widespread user reports. This highlights the importance of proactive security research and rapid patch deployment.
Staying Vigilant
These attacks demonstrate the evolving sophistication of cyber threats. Staying informed and taking proactive security measures is essential to protect your data and systems. Don’t underestimate the power of a simple software update – it coudl be the difference between security and compromise.