Redazione RHC : 9 August 2025 14:49
A recently closed WinRAR vulnerability tracked under CVE-2025-8088 was exploited in targeted phishing attacks before the patch was released. The issue involved directory traversal and was only fixed in WinRAR 7.13. The bug allowed attackers to create special archives that, when unpacked, ended up in an attacker-specified directory, rather than the user-selected folder. This mechanism allowed bypassing standard restrictions and injecting malicious code into critical Windows directories.
Unlike the usual scenario, when unzipping leads to a default location, the vulnerability allowed the path to be overridden to redirect the contents to the operating system startup folders. These directories include the startup folder for a specific user (%APPDATA%MicrosoftWindowsStartMenuProgramsStartup) and the system startup folder for all accounts (%ProgramData%MicrosoftWindowsStartMenuProgramsStartUp). The next time the system was logged in, any executable file injected via the vulnerability was automatically launched, effectively giving the attacker the ability to remotely execute code without the victim’s intervention.
The issue affected only the Windows editions of WinRAR, RAR, UnRAR, their portable versions, and the UnRAR.dll library. The variants for Unix and Android platforms, and their source code, did not suffer from this vulnerability.
The situation was particularly dangerous because WinRAR does not have an automatic update feature. Users who did not monitor the release of new versions could remain under attack for months without realizing it. Developers strongly recommend manually downloading and installing WinRAR 7.13 from the official website win-rar.com to eliminate the possibility of exploiting this bug.
The vulnerability was identified by ESET specialists Anton Cherepanov, Peter Koszynar, and Peter Stricek. The latter confirmed that it was used in actual phishing campaigns to install the RomCom malware. The attacks consisted of sending emails with RAR archive attachments containing the CVE-2025-8088 exploit.
RomCom is a group also known as Storm-0978, Tropical Scorpius, or UNC2596. It specializes in ransomware attacks, data theft, extortion, and credential theft. It uses proprietary malware to persist on the system, steal information, and create backdoors that provide covert access to infected devices.
The group is known for its extensive use of zero-day vulnerabilities in attacks and has collaborated with other ransomware operations, including Cuba and Industrial Spy. The current campaign exploiting a vulnerability in WinRAR is just the latest example of how RomCom combines sophisticated hacking techniques with social engineering to bypass defenses and penetrate corporate networks.
ESET is already preparing a detailed incident report, which will detail the exploitation methods and technical details of the identified attacks.
Redazione