Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

As expected, the WinRAR bug has become a devastating weapon for cyber criminals

Redazione RHC : 12 August 2025 15:44

As expected, the infamous WinRAR bug is now being actively exploited by attackers on a large scale, given the software’s widespread use and popularity.

ESET experts have reported that the recently patched WinRAR vulnerability (CVE-2025-8088) was used as a zero-day exploit in phishing attacks and was used to install the RomCom malware.

The vulnerability was related to directory traversal and was fixed in late July with the release of WinRAR version 7.13. The issue allowed the use of specially crafted archives and the decompression of files along a path specified by the attackers.

When decompressing a file, older versions of WinRAR, Windows versions of RAR, UnRAR, the portable UnRAR source code, and the UnRAR.dll library could use the path to a specially crafted archive instead of the user-specified one.”, the developers of the archiver explained. The Unix versions of RAR, UnRAR, the portable UnRAR source code and the UnRAR library, as well as RAR for Android, were not vulnerable.

Therefore, by exploiting this bug, attackers could create archives that unpack malicious executable files in the Windows startup folder located at:

  • %APPDATA%MicrosoftWindowsStart MenuProgramsStartup (local to user);
  • %ProgramData%MicrosoftWindowsStart MenuProgramsAutorun (for all users).

After the next access, this file is automatically executed, allowing the attacker to execute code on the remote host.

This issue was discovered by ESET experts in July 2025, and now report that, even before the patch was released, CVE-2025-8088 was used in the attacks as a zero-day vulnerability.

According to researchers, the vulnerability was exploited in targeted phishing attacks aimed at spreading malware from the RomCom hacker group (also known as Storm-0978, Tropical Scorpius, and UNC2596), including variants of SnipBot, RustyClaw, and Mythic.

The campaign reportedly targeted financial, manufacturing, defense, and logistics companies in Canada and Europe.

The group RomCom has previously been linked to ransomware attacks, data theft for ransom, and credential theft campaigns. RomCom is known for exploiting zero-day vulnerabilities and using custom malware to steal data and persist on systems.

ESET notes that the same vulnerability was recently exploited by another attacker, independently discovered by the Russian company BI.ZONE. Furthermore, the second attacker began exploiting the CVE-2025-8088 vulnerability a few days after RomCom.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli