WinRAR Zero-Day Exploited to Deploy RomCom Malware
A recently patched WinRAR vulnerability, tracked as CVE-2025-8088, was actively exploited as a zero-day in phishing attacks to deliver the RomCom malware.
The flaw, a directory traversal vulnerability, was fixed in WinRAR 7.13 and allowed maliciously crafted archives to extract files into arbitrary file paths chosen by the attacker.
Vulnerability Details
According to the WinRAR 7.13 changelog:
“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll can be tricked into using a path defined in a specially crafted archive, instead of the user-specified path.”
Unix versions of RAR/UnRAR, the portable UnRAR source, UnRAR library, and RAR for Android are not affected.
By exploiting the flaw, attackers can extract malicious executables into Windows autorun locations, such as:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup(User-specific)%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp(System-wide)
When the user logs in, the dropped executable is automatically executed, granting the attacker remote code execution.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Exploitation in the Wild
The vulnerability was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
Strýček confirmed to BleepingComputer that the flaw had been actively exploited in phishing attacks.
ESET observed spearphishing emails carrying malicious RAR attachments that abused CVE-2025-8088 to install RomCom backdoors.
About the RomCom Group
RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned threat group engaged in:
- Ransomware and extortion campaigns
- Credential theft operations
- Custom backdoor deployment
- Data theft and persistence tactics
The group is known for exploiting zero-day vulnerabilities and has been linked to ransomware families like Cuba and Industrial Spy.
Trending: Offensive Security Tool: APKScope
Mitigation Recommendations
Since WinRAR does not auto-update, users must manually download and install WinRAR 7.13 or newer from win-rar.com.
Recommended Actions:
- Upgrade to the latest WinRAR version immediately.
- Delete any suspicious RAR archives received via email.
- Enable endpoint protection with archive scanning enabled.
- Restrict execution from Startup folders where possible.
- Educate users on phishing awareness, especially regarding archive attachments.
ESET has stated that a full technical report on the exploitation will be released in the near future.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Nearly 76,000 WatchGuard Firebox Appliances Exposed — Critical IKEv2 RCE (CVE-2025-9242)
LinkPro Rootkit: New eBPF-Backed GNU/Linux Backdoor Found in Compromised AWS Environments
Pixnapping: New Android Side-Channel Steals 2FA Codes Pixel-by-Pixel
ChaosBot: Rust Backdoor Uses Discord C2 — Chaos Ransomware Adds Destructive & Clipboard-Hijack Features
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
