New Insights Unveiled on WinRAR Zero-Day Attacks Infecting PCs with Malware

Researchers have released a report detailing the exploitation of a recent WinRAR path traversal vulnerability, tracked as CVE-2025-8088, by the Russian hacking group known as RomCom. RomCom, also referred to as Storm-0978 and Tropical Scorpius, has a history of zero-day exploitation, including vulnerabilities in Firefox and Microsoft Office. ESET discovered that RomCom was exploiting this undocumented vulnerability on July 18, 2025, and promptly notified the WinRAR development team. The analysis of the exploit led to the identification of CVE-2025-8088, which involves a path traversal vulnerability enabled by alternate data streams. Following the notification, WinRAR released a patched version on July 30, 2025, although the advisory did not mention any active exploitation.

ESET confirmed the malicious activity, indicating that the vulnerability was used to extract dangerous executables to autorun paths when users opened specially crafted archives. The malicious RAR files contained numerous hidden Alternate Data Stream payloads, which concealed a malicious DLL and Windows shortcut. These were extracted into specified folders upon opening the archive. Many of the Alternate Data Stream entries were for invalid paths, likely added to generate misleading WinRAR warnings while hiding the presence of the malicious files. The executables were placed in the %TEMP% or %LOCALAPPDATA% directories, while the Windows shortcuts were dropped in the Windows Startup directory for execution upon the next login. ESET documented three distinct attack chains, each delivering known RomCom malware families, including Mythic Agent, SnipBot, and MeltingClaw. 

Categories: Cybersecurity, Malware Exploitation, Vulnerability Management 

Tags: WinRAR, Path Traversal, Vulnerability, CVE-2025-8088, RomCom, Malware, Zero-Day, ESET, Alternate Data Streams, Exploit