Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups

A critical security vulnerability in the popular WinRAR file compression tool is being actively exploited by at least three different threat actors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Tuesday after adding the flaw to its Known Exploited Vulnerabilities catalog.

The path traversal vulnerability, tracked as CVE-2025-6218 with a CVSS severity score of 7.8, could enable attackers to execute malicious code on victims' systems. CISA's alert comes amid growing evidence that sophisticated hacking groups are weaponizing the flaw in targeted campaigns against government, military, and business targets worldwide.

How the vulnerability works and who's affected

The security flaw affects only Windows-based versions of WinRAR and was patched in version 7.12 released in June 2025. According to RARLAB, the company behind WinRAR, the vulnerability "could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login."

For exploitation to succeed, a user must first interact with a malicious file or webpage. While this requirement provides some mitigation, the widespread use of WinRAR across business and government sectors makes it an attractive target for attackers.

Unix and Android versions of the software are not affected by this vulnerability.

Multiple cybersecurity firms including BI.ZONE, Foresiet, SecPod, and Synaptic Security have documented exploitation of CVE-2025-6218 by three distinct threat actors:

• GOFFEE (also known as Paper Werewolf)
• Bitter (also known as APT-C-08 or Manlinghua)
• Gamaredon

Each group has employed different tactics and various malicious software payloads targeting different systems while exploiting the same underlying vulnerability.

Bitter APT's sophisticated attack chain

The South Asia-focused Bitter APT group has been using the vulnerability to establish persistence on compromised systems. Their attack begins with a specially crafted RAR archive named "Provision of Information for Sectoral for AJK.rar" containing both a legitimate Word document and a hidden malicious macro template.

"The malicious archive drops a file named Normal.dotm into Microsoft Word's global template path," according to Foresiet's analysis published last month. "Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking."

This sophisticated technique allows the attackers to deliver a C# trojan designed to communicate with a command-and-control server at "johnfashionaccess[.]com." Once installed, the malware can log keystrokes, capture screenshots, harvest RDP credentials, and exfiltrate sensitive files.

Security researchers believe these attacks are being distributed through targeted spear-phishing campaigns rather than mass mailings.

Gamaredon's military targets and destructive capabilities

The Russian hacking group Gamaredon has used CVE-2025-6218 in campaigns specifically targeting Ukrainian military, government, and political organizations. Their operations, first observed in November 2025, deploy malware called Pteranodon through the vulnerability.

"This is not an opportunistic campaign," noted a security researcher known as Robin. "It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence."

What makes Gamaredon's activity particularly concerning is their recent shift toward destructive operations. The group has also been observed exploiting a related vulnerability, CVE-2025-8088, to deliver a new wiper malware dubbed GamaWiper.

"This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities," ClearSky reported on November 30, 2025.

GOFFEE's multi-vulnerability approach

The threat actor known as GOFFEE (or Paper Werewolf) has combined the exploitation of CVE-2025-6218 with another WinRAR vulnerability, CVE-2025-8088 (CVSS score 8.8), in attacks targeting Russian organizations in July 2025.

According to analysis published in August by a Russian cybersecurity vendor, these attacks were delivered via phishing emails, though specific details about the malware payload were not provided in the available information.

Urgent mitigation steps required

In response to the active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply patches by December 30, 2025. However, security experts recommend that all organizations and individual users take immediate action to mitigate this threat.

Key steps to protect systems include:

• Updating WinRAR to version 7.12 or newer immediately
• Implementing email filtering to detect suspicious RAR attachments
• Training users to be cautious about opening archive files from unknown sources
• Considering application control policies to prevent unauthorized execution
• Deploying reliable malware removal and prevention tools across all endpoints to detect and eliminate potential infections

Enhanced security measures for organizations:

• Implement network segmentation to limit lateral movement if systems are compromised
• Configure email security gateways to scan and quarantine suspicious archive attachments
• Deploy endpoint detection and response (EDR) solutions capable of identifying exploitation attempts
• Conduct regular security awareness training focusing on archive file handling
• Consider using alternative file compression tools with fewer historical vulnerabilities

How to protect yourself

The ongoing exploitation of WinRAR vulnerabilities highlights the importance of timely software updates and security awareness. Users should be particularly vigilant about opening archive files, even when they appear to come from legitimate sources.

For businesses, this situation provides a sobering reminder that even commonly used utility software can become an attack vector. Security teams should consider incorporating archive file handling into their threat models and ensure that all endpoints have updated security tools capable of detecting these exploitation techniques.

Like the infamous WinRAR vulnerabilities discovered in 2019 that remained exploitable for 19 years, this latest security flaw demonstrates how quickly threat actors can weaponize newly disclosed vulnerabilities in popular software.

For home users, the best protection is to update WinRAR immediately and exercise caution when opening archive files, especially those received via email or downloaded from untrusted sources. Consider using alternative archive tools if immediate updates aren't possible.

The convergence of multiple threat actors on a single vulnerability underscores the increasing sophistication of modern cyber threats and the critical importance of robust cybersecurity practices in today's digital landscape.

Technical indicators of compromise: Organizations should configure their security monitoring systems to detect the following indicators potentially associated with these WinRAR exploitation campaigns:

• File hashes related to malicious RAR archives
• Command and control domains including johnfashionaccess[.]com
• PowerShell commands attempting to access the Windows Startup folder
• Unusual WinRAR process activity with suspicious child processes

For additional technical details and mitigation guidance, security professionals should consult the CISA advisory on CVE-2025-6218.