WinRAR Zero-Day (CVE-2025-8088) Exploited by RomCom Hackers, ESET Warns

The ESET research team has published a detailed analysis revealing how the cyber-espionage group RomCom exploited a previously unknown path-traversal vulnerability in WinRAR (CVE-2025-8088) to stealthily install malicious software on victims’ computers. This flaw was leveraged in zero-day attacks, meaning it remained unpatched at the time of discovery.

According to ESET, exploitation in the wild was detected on July 18, 2025, and promptly reported to the WinRAR developers. On July 30, version 7.13 was released with a fix, yet the accompanying update notes made no mention that the vulnerability had been actively abused. Only later did ESET confirm that the flaw enabled the extraction of executable files directly into startup directories when a victim opened a specially crafted archive.

CVE-2025-8088 proved to be a variant of a Directory Traversal vulnerability, triggered by the abuse of Alternate Data Streams (ADS). It allowed attackers to force WinRAR to unpack files into directories of their choosing rather than the user-selected folder. This opened the door to silently placing shortcuts, DLLs, and executables into system or user startup folders. ESET notes similarities with another WinRAR path-traversal flaw, CVE-2025-6218, disclosed just a month earlier.

The malicious archives used in these attacks carried numerous hidden payloads within ADS. Some streams pointed to non-existent paths, producing harmless WinRAR warnings about failed extractions — a distraction that concealed the presence of genuine malicious objects buried deeper, including DLL, EXE, and LNK files. Ultimately, executables landed in %TEMP% or %LOCALAPPDATA%, while shortcuts were placed in the Windows startup folder. Upon the user’s next login, these shortcuts triggered the embedded malware, continuing the execution chain.

ESET identified three distinct infection chains, each delivering different RomCom tools:

• Mythic Agent — The Updater.lnk shortcut added the msedge.dll library to a registry key to hijack COM initialization. The DLL decrypted an AES-wrapped payload and executed it only if the machine’s domain matched a hardcoded value. This launched the Mythic agent, which connected to a C2 server, received commands, and downloaded additional modules.
• SnipBot — The Display Settings.lnk shortcut launched ApbxHelper.exe, a modified PuTTY CAC binary with an invalid certificate. Before its active phase, it checked that at least 69 documents had been opened recently on the device. If the condition was met, it decrypted the next code block and retrieved further payloads from attacker-controlled servers.
• MeltingClaw — The Settings.lnk shortcut executed Complaint.exe (aka RustyClaw), which loaded the MeltingClaw DLL. This component, in turn, downloaded and executed additional malicious modules from the operator’s infrastructure.

RomCom — also tracked as Storm-0978 and Tropical Scorpius — is a seasoned cyber-espionage actor with a history of zero-day exploitation, previously abusing vulnerabilities in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884). In parallel, Russian firm Bi.Zone reported another attack wave, “Paper Werewolf,” which also leveraged CVE-2025-8088 and CVE-2025-6218.

ESET has published a complete list of Indicators of Compromise (IoCs) for RomCom’s latest campaigns on GitHub. WinRAR developer RarLab stated they had no detailed information on the in-the-wild exploitation mechanics and had received no user reports of such incidents, obtaining only the technical data needed to produce a fix.

The situation is compounded by the fact that WinRAR still lacks an automatic update feature. Users must manually download and install version 7.13 from the official website to secure their systems. Although native RAR support was added to Windows in 2023, it is limited to newer builds and lacks the functionality of WinRAR, prompting both individuals and organizations to continue relying on the archiver — making it a lucrative target for attackers.