Researchers have launched a report detailing how a current WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day assaults by the Russian ‘RomCom’ hacking group to drop totally different malware payloads.
RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage risk group with a historical past in zero-day exploitation, together with in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Workplace (CVE-2023-36884).
ESET found that RomCom was exploiting an undocumented path traversal zero-day vulnerability in WinRAR on July 18, 2025, and notified the group behind the favored archiver instrument.
“Evaluation of the exploit led to the invention of the vulnerability, now assigned CVE-2025-8088: a path traversal vulnerability, made potential with the usage of alternate knowledge streams. After fast notification, WinRAR launched a patched model on July thirtieth, 2025,” explains a new report revealed by ESET in the present day.
WinRAR launched a repair for the flaw, which was assigned the identifier CVE-2025-8088, on July 30, 2025, with model 7.13. Nonetheless, there was no point out of lively exploitation within the accompanying advisory.
ESET confirmed the malicious exercise to BleepingComputer late final week, which was believed for use to extract harmful executables to autorun paths when a person opens a specifically crafted archive.
The vulnerability was much like one other path traversal flaw in WinRAR, disclosed a month earlier, tracked as CVE-2025-6218.
ESET’s report explains that the malicious RAR archives embody quite a few hidden ADS (Alternate Information Stream) payloads which can be used to cover a malicious DLL and Home windows shortcut, that are extracted into attacker-specified folders when the targets open the archive.
Lots of the ADS entries are for invalid paths, which ESET believes had been intentionally added to generate harmless-looking WinRAR warnings, whereas concealing the presence of the malicious DLL, EXE, and LNK file paths deeper within the file record.
Supply: ESET
The executables are positioned into the %TEMP% or %LOCALAPPDATA% directories, whereas the Home windows shortcuts (LNK information) are dropped within the Home windows Startup listing in order that they’re executed upon subsequent login.
ESET documented three distinct assault chains, all delivering recognized RomCom malware households:
- Mythic Agent – Updater.lnk provides msedge.dll to a COM hijack registry location, which decrypts AES shellcode and runs provided that the system’s area matches a hardcoded worth. The shellcode launches the Mythic agent, enabling C2 communication, command execution, and payload supply.
- SnipBot – Show Settings.lnk runs ApbxHelper.exe, a modified PuTTY CAC with an invalid certificates. It checks for ≥69 lately opened paperwork earlier than decrypting shellcode that downloads further payloads from attacker servers.
- MeltingClaw – Settings.lnk launches Grievance.exe (RustyClaw), which downloads a MeltingClaw DLL that fetches and executes extra malicious modules from the attacker’s infrastructure.
Supply: ESET
Russian cybersecurity agency Bi.Zone additionally stories observing a separate exercise cluster, which they monitor as ‘Paper Werewolf,’ additionally leveraging CVE-2025-8088, in addition to CVE-2025-6218, in assaults.
ESET shared the whole indicators of compromise for the newest RomCom assaults on its GitHub repository.
Though Microsoft added native RAR assist to Home windows in 2023, the characteristic is just out there to newer releases, and its capabilities are usually not as in depth as these baked into WinRAR.
Therefore, many energy customers and organizations proceed to depend on WinRAR for managing archives, which makes it a major goal for hackers.
RarLab informed BleepingComputer that they aren’t conscious of the main points of the exploitation of CVE-2025-8088, didn’t obtain any person stories, and ESET solely shared with them the technical info required to develop a patch.
WinRAR doesn’t comprise an auto-update characteristic, so customers have to manually obtain and set up the newest model from right here.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
