Redazione RHC : 9 September 2025 08:05
Manuel Roccon, leader of Red Hot Cyber’s HackerHood ethics team, has created a detailed video demonstration on YouTube that demonstrates in a practical way how the CVE-2025-8088 works.
The video demonstrates step-by-step the techniques used by attackers to compromise victims’ systems by simply double-clicking on a malicious RAR archive.
The bug in question is a directory traversal bug and has been actively exploited in targeted phishing campaigns.
As explained in the article “Did you double-click on WinRAR? Congratulations! You’ve been compromised”, a manipulated archive can extract files to critical directories, such as Windows startup folders, bypassing the normal extraction destination selected by the user.
When attackers place malware in %APPDATA%MicrosoftWindowsStart MenuProgramsStartup or %ProgramData%MicrosoftWindowsStart MenuProgramsStartUp folders, the operating system automatically runs them at the next boot, allowing them to launch malicious code, backdoors, or other malicious payloads.
Researchers have attributed these exploits to the RomCom group (also known as Storm-0978, Tropical Scorpius, Void Rabisu, or UNC2596), a cybercriminal collective linked to Russian espionage operations.
Originally focused on Ukraine, the group has expanded its targets, attacking entities linked to humanitarian projects and other European organizations. Their campaigns leverage proprietary malware and sophisticated persistence and data theft techniques.
Fortunately, the developers have fixed the vulnerability by releasing WinRAR version 7.13. However, due to the lack of automatic updates in WinRAR, many users may remain exposed if they don’t manually update by downloading it from the official website. This delay in patching allowed the bug to be exploited long before it was fixed.
The video created by Manuel Roccon highlights the educational value of “hands-on” demonstrations.
Examining how attackers hide malicious files in critical system paths and activate them without any user interaction helps raise awareness of the true impact of the vulnerability. This informative content is essential to encourage faster adoption of good security practices and timely installation of updates.
Redazione