Tech News
← Back to articles

Details emerge on WinRAR zero-day attacks that infected PCs with malware

2025-10-31 | original
read original related products more articles

Researchers have released a report detailing how a recent WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day attacks by the Russian 'RomCom' hacking group to drop different malware payloads.

RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage threat group with a history in zero-day exploitation, including in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884).

ESET discovered that RomCom was exploiting an undocumented path traversal zero-day vulnerability in WinRAR on July 18, 2025, and notified the team behind the popular archiver tool.

"Analysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2025-8088: a path traversal vulnerability, made possible with the use of alternate data streams. After immediate notification, WinRAR released a patched version on July 30th, 2025," explains a new report published by ESET today.

WinRAR released a fix for the flaw, which was assigned the identifier CVE-2025-8088, on July 30, 2025, with version 7.13. However, there was no mention of active exploitation in the accompanying advisory.

ESET confirmed the malicious activity to BleepingComputer late last week, which was believed to be used to extract dangerous executables to autorun paths when a user opens a specially crafted archive.

The vulnerability was similar to another path traversal flaw in WinRAR, disclosed a month earlier, tracked as CVE-2025-6218.

ESET's report explains that the malicious RAR archives include numerous hidden ADS (Alternate Data Stream) payloads that are used to hide a malicious DLL and Windows shortcut, which are extracted into attacker-specified folders when the targets open the archive.

Many of the ADS entries are for invalid paths, which ESET believes were deliberately added to generate harmless-looking WinRAR warnings, while concealing the presence of the malicious DLL, EXE, and LNK file paths deeper in the file list.

Malicious RAR archive (top) and errors during decompression (bottom)

... continue reading

Related:
Try this 30-second refresh on your Roku TV before replacing it for good
Advent of Code on the Z-Machine
APT37 hackers abuse Google Find Hub in Android data-wiping attacks
Amazon pulls the plug on its Android app store that you never used anyway
CISA and FBI: Ghost ransomware breached orgs in 70 countries

© 2025 GoKawiil