Particulars emerge on WinRAR zero-day assaults that contaminated PCs with malware

Researchers have launched a report detailing how a latest WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day assaults by the Russian ‘RomCom’ hacking group to drop completely different malware payloads.

RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage risk group with a historical past in zero-day exploitation, together with in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Workplace (CVE-2023-36884).

ESET found that RomCom was exploiting an undocumented path traversal zero-day vulnerability in WinRAR on July 18, 2025, and notified the staff behind the favored archiver instrument.

“Evaluation of the exploit led to the invention of the vulnerability, now assigned CVE-2025-8088: a path traversal vulnerability, made potential with the usage of alternate information streams. After fast notification, WinRAR launched a patched model on July thirtieth, 2025,” explains a brand new report revealed by ESET immediately.

WinRAR launched a repair for the flaw, which was assigned the identifier CVE-2025-8088, on July 30, 2025, with model 7.13. Nevertheless, there was no point out of energetic exploitation within the accompanying advisory.

ESET confirmed the malicious exercise to BleepingComputer late final week, which was believed for use to extract harmful executables to autorun paths when a consumer opens a specifically crafted archive.

The vulnerability was much like one other path traversal flaw in WinRAR, disclosed a month earlier, tracked as CVE-2025-6218.

ESET’s report explains that the malicious RAR archives embrace quite a few hidden ADS (Alternate Data Stream) payloads which might be used to cover a malicious DLL and Home windows shortcut, that are extracted into attacker-specified folders when the targets open the archive.

Lots of the ADS entries are for invalid paths, which ESET believes had been intentionally added to generate harmless-looking WinRAR warnings, whereas concealing the presence of the malicious DLL, EXE, and LNK file paths deeper within the file listing.

The executables are positioned into the %TEMP% or %LOCALAPPDATA% directories, whereas the Home windows shortcuts (LNK recordsdata) are dropped within the Home windows Startup listing in order that they’re executed upon subsequent login.

ESET documented three distinct assault chains, all delivering identified RomCom malware households:

• Mythic Agent – Updater.lnk provides msedge.dll to a COM hijack registry location, which decrypts AES shellcode and runs provided that the system’s area matches a hardcoded worth. The shellcode launches the Mythic agent, enabling C2 communication, command execution, and payload supply.
• SnipBot – Show Settings.lnk runs ApbxHelper.exe, a modified PuTTY CAC with an invalid certificates. It checks for ≥69 lately opened paperwork earlier than decrypting shellcode that downloads extra payloads from attacker servers.
• MeltingClaw – Settings.lnk launches Grievance.exe (RustyClaw), which downloads a MeltingClaw DLL that fetches and executes extra malicious modules from the attacker’s infrastructure.

Russian cybersecurity agency Bi.Zone additionally stories observing a separate exercise cluster, which they observe as ‘Paper Werewolf,’ additionally leveraging CVE-2025-8088, in addition to CVE-2025-6218, in assaults.

ESET shared the whole indicators of compromise for the most recent RomCom assaults on its GitHub repository.

Though Microsoft added native RAR assist to Home windows in 2023, the characteristic is barely obtainable to newer releases, and its capabilities should not as intensive as these baked into WinRAR.

Therefore, many energy customers and organizations proceed to depend on WinRAR for managing archives, which makes it a first-rate goal for hackers.

RarLab informed BleepingComputer that they don’t seem to be conscious of the small print of the exploitation of CVE-2025-8088, didn’t obtain any consumer stories, and ESET solely shared with them the technical data required to develop a patch.

WinRAR doesn’t include an auto-update characteristic, so customers must manually obtain and set up the newest model from right here.