Recently, a dangerous zero-day vulnerability has been discovered in WinRAR, the file compression tool that millions of people use daily. Cataloged as CVE-2025-8088, this flaw is already being exploited in targeted attacks against organizations across various sectors.
According to cybersecurity researchers, the exploit is believed to be linked to the RomCom hacker group, allegedly tied to Russia, adding yet another high-profile attack to their record.
This case highlights a troubling reality: cybercriminals are becoming increasingly creative at turning common, trusted software into weapons for launching digital attacks.
What is CVE-2025-8088?
CVE-2025-8088 (with a CVSS severity score of 8.4) is a serious vulnerability that affects Windows versions of WinRAR, as well as related components such as UnRAR.dll and its portable version. The issue lies in how WinRAR handles Alternate Data Streams (ADS) inside maliciously crafted archive files.
In simple terms: attackers can hide malicious code within an ADS and, by manipulating the internal file paths, trick WinRAR into extracting content outside the folder where it is supposed to go.
The consequence? A RAR file that appears harmless could drop malware (such as malicious DLLs or executable shortcuts) into sensitive system locations, for example, the Windows startup folder—allowing it to run automatically every time you log in.
CVE-2025-8088 (Source: SOCRadar)
Which Versions of WinRAR Are at Risk?
All versions up to and including 7.12 are vulnerable to CVE-2025-8088. If you use WinRAR and haven’t updated since then, you’re in the red zone. According to ESET’s research, attacks exploiting this flaw began on July 18, 2025. This means there was a period of active exploitation before a patch was available.
Is There a Patch Available?
Yes. The WinRAR team fixed the issue on July 30, 2025, with the release of WinRAR 7.13. If you haven’t updated yet, doing so should be your top priority.
Read more: What is patch management?
How the CVE-2025-8088 Exploit Works
At first glance, the malicious file looks harmless—just a single document, often presented as a résumé or a job application letter. But behind that façade, the attacker hides multiple manipulated Alternate Data Stream (ADS) entries. Some contain the actual malicious payload; others are merely “filler” designed to mislead and conceal the real threat.
When the victim extracts the file, the following can happen:
-
Malicious DLLs are placed in temporary folders such as
%TEMP%or%LOCALAPPDATA%. -
Shortcut files (
.lnk) are installed in the Windows Startup folder. -
The malware achieves persistence, running automatically on every reboot.
The key trick lies in the use of path traversal sequences (..) inside the ADS paths, forcing WinRAR to extract files outside the intended folder. Although WinRAR does issue warnings about invalid paths, attackers disguise them with seemingly harmless errors, burying the suspicious entries in a long list of messages.
Who’s Behind the Attacks?
ESET’s investigation points directly to the RomCom hacker group (also known as Storm-0978, Tropical Scorpius, or UNC2596). This group has experience in both cyberespionage and financially motivated attacks, and a well-documented history of exploiting zero-day vulnerabilities.
Some examples of their past activity include:
-
CVE-2023-36884 in Microsoft Word (2023).
-
A combined attack involving CVE-2024-9680 in Firefox and CVE-2024-49039 in Windows (2024).
In this particular campaign, RomCom targeted companies in finance, defense, manufacturing, and logistics sectors in Europe and Canada. Their attacks were delivered via carefully crafted spear-phishing emails disguised as job applications, attaching RAR files containing the embedded exploit.
Other Actors Exploiting the Vulnerability
RomCom wasn’t the only one to exploit this flaw. According to BI.ZONE, the Paper Werewolf group also used it, likely after purchasing an exploit on the dark web for $80,000. In their campaigns, Paper Werewolf combined CVE-2025-8088 with another WinRAR vulnerability (CVE-2025-6218) to launch phishing attacks against organizations in Russia
Attack Chains and Detected Payloads
ESET identified three main execution paths in campaigns exploiting CVE-2025-8088:
Mythic Agent via COM Hijacking
-
A malicious
.lnkfile drops a DLL in%TEMP%. -
Modifies the Registry to hijack the COM object PSFactoryBuffer.
-
The DLL decrypts and executes embedded shellcode.
-
Connects to a C2 server and only acts if it detects specific targeted domains.
SnipBot Variant with Anti-Analysis
-
The
.lnklaunches a trojanized PuTTY file (ApbxHelper.exe). -
Implements anti-sandbox checks by reviewing recent document activity.
-
Downloads and executes additional payloads from attacker-controlled servers.
RustyClaw and MeltingClaw Downloaders
-
The
.lnktriggersComplaint.exe(RustyClaw). -
Searches for and downloads more malware, including the MeltingClaw downloader.
-
Operates over a C2 infrastructure separate from SnipBot, adding modularity to the attack.
Mythic Agent Infection Chain (Source: ESET)
Read more: Chanel and Pandora: New Targets of Cyberattacks
Why CVE-2025-8088 Deserves Your Attention Right Now
Tools like WinRAR are everywhere—on personal computers, work laptops, corporate servers… practically in any environment. That’s exactly what makes a vulnerability like CVE-2025-8088 so dangerous.
-
It doesn’t take much to trigger: all it takes is for the user to extract a file.
-
It exploits trust: extracting a file is something most people consider safe.
-
It can reach critical areas of the system: and from there, execute code with high privileges.
And the worst part is, this isn’t the first time WinRAR has faced such a situation. In 2023, the CVE-2023-38831 vulnerability was massively exploited by several cyber-espionage groups. The fact that this is happening again only reinforces the importance of keeping even the most basic software up to date.
How to Protect Yourself from CVE-2025-8088
1. Update Without Delay
- Download and install WinRAR 7.13 or higher, which fixes this flaw along with other security issues.
- If your company uses software that depends on UnRAR.dll, make sure those libraries are updated as well.
2. Strengthen Security Awareness
-
Train your team to spot spear-phishing attempts, especially in emails posing as job applications or with attachments containing “CV” in their names.
-
Always verify the sender’s legitimacy before opening a file.
3. Control Extraction Paths
-
Configure WinRAR (and any similar tool) to extract only into folders where the user has limited permissions.
-
Whenever possible, block execution from temporary directories.
4. Monitor for Signs of Compromise
-
Look for unexpected
.lnkshortcuts in the Windows Startup folder. -
Check for unknown DLLs in
%TEMP%or%LOCALAPPDATA%. -
Review network connections and block any traffic to suspicious domains.
Conclusion: Don’t Just React—Prevent
CVE-2025-8088 is a reminder that security isn’t a one-time project but an ongoing process. Keeping software updated and responding quickly to new threats can be the difference between a scare and a disaster.
At TecneOne, we help companies implement patch management strategies that don’t rely on memory or luck, but on automated and reliable processes. Tools like TecnetProtect Backup not only allow centralized deployment of updates but also combine it with backups and active malware protection.
With such a solution, whenever a critical vulnerability (like CVE-2025-8088) appears, you can apply the patch within hours, minimize the exposure window, and maintain business continuity without disruptions. In cybersecurity, speed and planning are your best allies—and having the right technology partners can make all the difference.
