Researchers have launched a report detailing how the latest WINRAR path traversal vulnerability was tracked as CVE-2025-8088 with a purpose to drop varied malware payloads in a zero-day assault by a Russian “romcom” hacking group.
Romcom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberspion menace group with a historical past of zero-day exploitation, together with Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Workplace (CVE-2023-36884).
ESET found that Romcom was profiting from an undocumented pass-zero-day vulnerability in Winrar on July 18, 2025, and notified the crew behind the favored archival instruments.
“Exploit evaluation found a vulnerability and now assigned a previous traversal vulnerability enabled by CVE-2025-8088: Alternate knowledge streams. After quick notification, Winrar launched a patch model on July 30, 2025.”
Winrar launched a repair for the flaw assigned to identifier CVE-2025-8088 in model 7.13 on July 30, 2025. Nonetheless, there was no point out of energetic exploitation within the accompanying recommendation.
ESET confirmed malicious exercise on BleepingComputer later final week. This was thought for use to extract harmful executables when customers opened specifically created archives.
The vulnerability resembles one other previous traversal flaw in Winrar, which was disclosed a month in the past, tracked as CVE-2025-6218.
The ESET report reveals that the malicious RAR archive accommodates payloads of quite a few hidden advertisements (various knowledge streams) which can be used to cover malicious DLLs and Home windows shortcuts, extracted into the attacker-specified folder when the goal opens the archive.
Most of the advert entries are for invalid paths, and ESET believes it was deliberately added to generate harmlessly-looking Winrar warnings whereas hiding the presence of significant DLLs, EXEs, and LNK file paths within the file record.
Supply: ESET
The executable file is situated within the %TEMP% or %LocalAppData% listing, and the Home windows shortcuts (LNK information) are dropped into the Home windows Startup listing and run on subsequent logins.
ESET paperwork three completely different assault chains, all providing a recognized ROMCOM malware household.
- Legendary Agent -updater.lnk provides msedge.dll to the situation of the com hijack registry. That is executed provided that you decrypt the AES shellcode and the area of the system matches the hardcoded values. Shellcode allows C2 communication, command execution, payload supply, and launches the parable agent.
- SnipbaT – Shows show settings. LNK runs APBXHELPER.EXE, a modified putty CAC with an invalid certificates. Verify the 69 or extra lately opened paperwork earlier than decrypting shellcode that downloads further payloads from the attacker server.
- MeltingClaw – settings.lnk launches complain.exe (Rustyclaw) to obtain meltingclaw dll that retrieves and runs extra malicious modules from the attacker’s infrastructure.
Supply: ESET
Russian cybersecurity firm Bi.Zone stories that it’s observing one other exercise cluster that CVE-2025-8088 and CVE-2025-6218 are additionally utilizing Paper Wedwolf within the assault.
ESET shared the complete metrics of compromises for the most recent ROMCOM assaults on GitHub repositories.
Microsoft added native RAR help to Home windows in 2023, however this function is barely obtainable in new releases, and the function is just not as intensive because it was burned into Winrar.
Due to this fact, many energy customers and organizations proceed to depend on Winrar to handle their archives, making them the primary goal for hackers.
Rarlab instructed BleepingComputer it’s not conscious of the small print of CVE-2025-8088 exploitation, has not acquired person stories, and ESET solely shares the technical info wanted to develop the patch.
Winrar doesn’t embody automated updates, so customers might want to manually obtain and set up the most recent model from right here.
