WinRAR zero-day CVE-2025-8088: Update now to stay safe

Immediate action required: ESET Research uncovered an in-the-wild WinRAR zero-day (CVE-2025-8088) abused by the Russia-aligned RomCom group. The flaw uses alternate data streams (ADSes) to hide malicious files inside RAR archives and drop them outside the intended extraction folder, enabling persistence and code execution.

What you should do now

• Update to WinRAR 7.13 or later immediately. This includes the Windows GUI, command-line utilities, UnRAR.dll, and any software built on the portable UnRAR source code.
• If your software bundles UnRAR components, update those dependencies now.
• Treat unsolicited RAR attachments (especially job applications/resumes) as suspicious; quarantine or block by policy.
• Monitor for unexpected .LNK files in the Startup folder and new DLL/EXE files in %TEMP% or %LOCALAPPDATA%.

How CVE-2025-8088 works

• Attackers craft archives that appear to contain a single benign file while smuggling additional payloads in ADSes.
• Using relative paths with ..\, the exploit performs path traversal during extraction.
• WinRAR unpacks the benign file and the hidden ADS content, dropping a malicious .LNK into the Startup folder and a DLL/EXE into %TEMP% or %LOCALAPPDATA% for persistence and execution.
• Dummy ADS entries are added to generate harmless-looking errors, pushing the real, suspicious paths out of immediate view in the WinRAR UI.

Who was targeted and how

• Timeframe: July 18–21, 2025.
• Sectors: financial, manufacturing, defense, and logistics.
• Regions: Europe and Canada.
• Lure: spearphishing emails carrying RAR attachments that masquerade as CVs.
• ESET telemetry indicates attempted intrusions with no confirmed compromises among observed targets.

Observed payload chains

• Mythic agent: Updater.lnk creates HKCU\SOFTWARE\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 set to %TEMP%\msedge.dll. This COM hijack abuses npmproxy.dll’s PSFactoryBuffer so apps like Microsoft Edge trigger the malicious DLL, which decrypts AES shellcode and only runs on a predetermined domain (execution guardrail). C2: https://srlaptop[.]com/s/0.7.8/clarity.js.
• SnipBot variant: Display Settings.lnk launches %LOCALAPPDATA%\ApbxHelper.exe (a modified PuTTY CAC with an invalid signature). Anti-analysis check requires at least 69 RecentDocs entries (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs). Next stage is fetched from https://campanole[.]com/TOfrPOseJKZ.
• MeltingClaw chain: Settings.lnk runs %LOCALAPPDATA%\Complaint.exe (RustyClaw downloader, invalid signature), which retrieves install_module_x64.dll (MeltingClaw) from https://melamorri[.]com/iEZGPctehTZ. Observed C2: https://gohazeldale[.]com.

Timeline and scope

• July 18, 2025: Malicious archive exploiting the bug seen in WinRAR 7.12.
• July 24, 2025: Vulnerability privately reported; fixed the same day (WinRAR 7.13 beta 1).
• July 30, 2025: WinRAR 7.13 release with the official patch.
• Related: a similar WinRAR path traversal (CVE-2025-6218) was disclosed on June 19, 2025.
• Another threat actor also exploited CVE-2025-8088; it was independently discovered by BI.ZONE, with activity beginning days after RomCom.

About RomCom

• Russia-aligned group conducting both cybercrime and targeted espionage.
• Known for zero-day use: CVE-2023-36884 (Microsoft Word) in 2023 and a 2024 chain (CVE-2024-9680 with CVE-2024-49039) against Firefox, Thunderbird, and Tor.

Quick detection hints

• Startup folder tampering: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for unexpected .LNK files.
• COM hijack persistence: HKCU\SOFTWARE\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32.
• Network indicators: srlaptop[.]com, campanole[.]com, melamorri[.]com, gohazeldale[.]com.

Bottom line

• Patch WinRAR and all UnRAR components to 7.13+ without delay.
• Harden email and endpoint controls against RAR attachments.
• Hunt for persistence artifacts and monitor for the listed network indicators.

Source: WeLiveSecurity