Recently, a dangerous zero-day vulnerability has been discovered in WinRAR, the file compression tool that millions of people use daily. Cataloged as CVE-2025-8088, this flaw is already being exploited in targeted attacks against organizations across various sectors.
According to cybersecurity researchers, the exploit is believed to be linked to the RomCom hacker group, allegedly tied to Russia, adding yet another high-profile attack to their record.
This case highlights a troubling reality: cybercriminals are becoming increasingly creative at turning common, trusted software into weapons for launching digital attacks.
CVE-2025-8088 (with a CVSS severity score of 8.4) is a serious vulnerability that affects Windows versions of WinRAR, as well as related components such as UnRAR.dll and its portable version. The issue lies in how WinRAR handles Alternate Data Streams (ADS) inside maliciously crafted archive files.
In simple terms: attackers can hide malicious code within an ADS and, by manipulating the internal file paths, trick WinRAR into extracting content outside the folder where it is supposed to go.
The consequence? A RAR file that appears harmless could drop malware (such as malicious DLLs or executable shortcuts) into sensitive system locations, for example, the Windows startup folder—allowing it to run automatically every time you log in.
CVE-2025-8088 (Source: SOCRadar)
All versions up to and including 7.12 are vulnerable to CVE-2025-8088. If you use WinRAR and haven’t updated since then, you’re in the red zone. According to ESET’s research, attacks exploiting this flaw began on July 18, 2025. This means there was a period of active exploitation before a patch was available.
Yes. The WinRAR team fixed the issue on July 30, 2025, with the release of WinRAR 7.13. If you haven’t updated yet, doing so should be your top priority.
Read more: What is patch management?
At first glance, the malicious file looks harmless—just a single document, often presented as a résumé or a job application letter. But behind that façade, the attacker hides multiple manipulated Alternate Data Stream (ADS) entries. Some contain the actual malicious payload; others are merely “filler” designed to mislead and conceal the real threat.
When the victim extracts the file, the following can happen:
Malicious DLLs are placed in temporary folders such as %TEMP% or %LOCALAPPDATA%.
Shortcut files (.lnk) are installed in the Windows Startup folder.
The malware achieves persistence, running automatically on every reboot.
The key trick lies in the use of path traversal sequences (..) inside the ADS paths, forcing WinRAR to extract files outside the intended folder. Although WinRAR does issue warnings about invalid paths, attackers disguise them with seemingly harmless errors, burying the suspicious entries in a long list of messages.
ESET’s investigation points directly to the RomCom hacker group (also known as Storm-0978, Tropical Scorpius, or UNC2596). This group has experience in both cyberespionage and financially motivated attacks, and a well-documented history of exploiting zero-day vulnerabilities.
Some examples of their past activity include:
CVE-2023-36884 in Microsoft Word (2023).
A combined attack involving CVE-2024-9680 in Firefox and CVE-2024-49039 in Windows (2024).
In this particular campaign, RomCom targeted companies in finance, defense, manufacturing, and logistics sectors in Europe and Canada. Their attacks were delivered via carefully crafted spear-phishing emails disguised as job applications, attaching RAR files containing the embedded exploit.
RomCom wasn’t the only one to exploit this flaw. According to BI.ZONE, the Paper Werewolf group also used it, likely after purchasing an exploit on the dark web for $80,000. In their campaigns, Paper Werewolf combined CVE-2025-8088 with another WinRAR vulnerability (CVE-2025-6218) to launch phishing attacks against organizations in Russia
ESET identified three main execution paths in campaigns exploiting CVE-2025-8088:
Mythic Agent via COM Hijacking
A malicious .lnk file drops a DLL in %TEMP%.
Modifies the Registry to hijack the COM object PSFactoryBuffer.
The DLL decrypts and executes embedded shellcode.
Connects to a C2 server and only acts if it detects specific targeted domains.
SnipBot Variant with Anti-Analysis
The .lnk launches a trojanized PuTTY file (ApbxHelper.exe).
Implements anti-sandbox checks by reviewing recent document activity.
Downloads and executes additional payloads from attacker-controlled servers.
RustyClaw and MeltingClaw Downloaders
The .lnk triggers Complaint.exe (RustyClaw).
Searches for and downloads more malware, including the MeltingClaw downloader.
Operates over a C2 infrastructure separate from SnipBot, adding modularity to the attack.
Mythic Agent Infection Chain (Source: ESET)
Read more: Chanel and Pandora: New Targets of Cyberattacks
Tools like WinRAR are everywhere—on personal computers, work laptops, corporate servers… practically in any environment. That’s exactly what makes a vulnerability like CVE-2025-8088 so dangerous.
It doesn’t take much to trigger: all it takes is for the user to extract a file.
It exploits trust: extracting a file is something most people consider safe.
It can reach critical areas of the system: and from there, execute code with high privileges.
And the worst part is, this isn’t the first time WinRAR has faced such a situation. In 2023, the CVE-2023-38831 vulnerability was massively exploited by several cyber-espionage groups. The fact that this is happening again only reinforces the importance of keeping even the most basic software up to date.
Train your team to spot spear-phishing attempts, especially in emails posing as job applications or with attachments containing “CV” in their names.
Always verify the sender’s legitimacy before opening a file.
Configure WinRAR (and any similar tool) to extract only into folders where the user has limited permissions.
Whenever possible, block execution from temporary directories.
Look for unexpected .lnk shortcuts in the Windows Startup folder.
Check for unknown DLLs in %TEMP% or %LOCALAPPDATA%.
Review network connections and block any traffic to suspicious domains.
CVE-2025-8088 is a reminder that security isn’t a one-time project but an ongoing process. Keeping software updated and responding quickly to new threats can be the difference between a scare and a disaster.
At TecneOne, we help companies implement patch management strategies that don’t rely on memory or luck, but on automated and reliable processes. Tools like TecnetProtect Backup not only allow centralized deployment of updates but also combine it with backups and active malware protection.
With such a solution, whenever a critical vulnerability (like CVE-2025-8088) appears, you can apply the patch within hours, minimize the exposure window, and maintain business continuity without disruptions. In cybersecurity, speed and planning are your best allies—and having the right technology partners can make all the difference.