Researchers have shed light on the details of a recent WinRAR path traversal vulnerability, tracked as CVE-2025-8088, which was exploited in zero-day attacks by the Russian 'RomCom' hacking group to drop different malware payloads. This latest incident highlights the ongoing threat landscape and the importance of software patching.
The RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage threat group with a history in zero-day exploitation. Previous notable attacks attributed to this group include Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884). The RomCom group has demonstrated its capability to exploit vulnerabilities in popular software applications.
ESET discovered that RomCom was exploiting an undocumented path traversal zero-day vulnerability in WinRAR on July 18, 2025. This vulnerability, now assigned CVE-2025-8088, allows attackers to manipulate alternate data streams and execute malicious code. After immediate notification, WinRAR released a patched version of the software on July 30th, 2025, with version 7.13.
ESET's report explains that the malicious RAR archives used by RomCom contain numerous hidden ADS (Alternate Data Stream) payloads that are used to hide a malicious DLL and Windows shortcut. These executables are placed into the %TEMP% or %LOCALAPPDATA% directories, while the Windows shortcuts (LNK files) are dropped in the Windows Startup directory so that they are executed upon subsequent login.
ESET documented three distinct attack chains, all delivering known RomCom malware families. Additionally, Russian cybersecurity firm Bi.Zone also reports observing a separate activity cluster, which they track as 'Paper Werewolf,' also leveraging CVE-2025-8088, as well as CVE-2025-6218, in attacks.
Although Microsoft added native RAR support to Windows in 2023, the feature is only available to newer releases, and its capabilities are not as extensive as those baked into WinRAR. Hence, many power users and organizations continue to rely on WinRAR for managing archives, making it a prime target for hackers. WinRAR does not contain an auto-update feature, so users need to manually download and install the latest version from here.
The exploitation of CVE-2025-8088 highlights the importance of software patching and user awareness in preventing cyber attacks. ESET has shared the complete indicators of compromise for the latest RomCom attacks on its GitHub repository, providing valuable insights into the threat landscape and the need for vigilance.
For more information on password cracking trends and prevention strategies, refer to the Picus Blue Report 2025. This comprehensive report offers a detailed analysis of data exfiltration trends and provides actionable recommendations for organizations looking to enhance their cybersecurity posture.