Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVE-2025-8088. Show all posts
zero-day attacks
CVE-2025-8088 ESET cybersecurity report RomCom hacking group Vulnerabilities and Exploits WinRAR vulnerability zero-day attacks

RomCom Hackers Exploit WinRAR Zero-Day CVE-2025-8088 in Cyberattacks, ESET Confirms

 

Cybersecurity researchers have uncovered that the Russian hacking group RomCom exploited a previously unknown flaw in WinRAR, tracked as CVE-2025-8088, in a series of zero-day attacks. The vulnerability was identified as a path traversal bug that enabled attackers to drop malicious payloads onto victims’ systems.

According to a report published by ESET, the flaw was discovered on July 18, 2025, when RomCom began using it in live campaigns. The issue stemmed from the abuse of alternate data streams (ADS) within specially crafted RAR archives. These archives contained hidden payloads designed to extract malicious files into specific Windows directories, including %TEMP%, %LOCALAPPDATA%, and the Startup folder, allowing malware to persist across reboots.

WinRAR released a patched version (7.13) on July 30, 2025, after being alerted by ESET. However, the official advisory at the time did not mention ongoing exploitation.

ESET’s analysis revealed three attack chains delivering different RomCom malware families:
  • Mythic Agent – executed through a COM hijack, enabling command-and-control communications.
  • SnipBot – a trojanized PuTTY CAC version that downloaded additional payloads.
  • MeltingClaw – a modular malware framework used for further infections.
The malicious archives also contained numerous invalid ADS entries. ESET believes these were deliberately added to create harmless-looking warnings in WinRAR, masking the presence of the true malware payloads.

This is not the first time RomCom has exploited zero-day flaws. The group, also known as Storm-0978 and Tropical Scorpius, has previously leveraged vulnerabilities in Firefox and Microsoft Office.

Russian cybersecurity company Bi.Zone separately reported that another cluster, tracked as Paper Werewolf, also abused CVE-2025-8088 and a related bug, CVE-2025-6218.

While Microsoft added native RAR support to Windows in 2023, its limited functionality means many enterprises still rely on WinRAR, making it an attractive target for attackers.

WinRAR developers confirmed that they had not received user complaints and were only provided with technical details necessary to release the patch. Since WinRAR lacks an auto-update feature, users must manually download and install the latest version to stay protected.
Read more »
zero-day exploit
CVE-2025-8088 directory traversa malware Phishing Attacks RomCom malware WinRAR vulnerability zero-day exploit

WinRAR Flaw Exploited as Zero-Day to Spread RomCom Malware in Phishing Attacks

 

A recently patched security flaw in WinRAR, identified as CVE-2025-8088, was weaponized as a zero-day exploit in phishing campaigns to deliver the RomCom malware, security researchers revealed.

The vulnerability, a directory traversal bug, was addressed in WinRAR version 7.13. It enabled attackers to craft malicious archives that could extract files into arbitrary file paths defined by the attacker rather than those selected by the user.

According to the WinRAR 7.13 changelog: "When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path."

It further clarified that "Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected."

By exploiting this flaw, attackers could place executables in Windows autorun directories, such as:
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (user-specific)
  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (system-wide)
This ensured that the malicious files would automatically run on the next reboot, giving attackers remote code execution capabilities.

Since WinRAR lacks an auto-update mechanism, users are urged to manually download the latest version from win-rar.com to protect themselves against this vulnerability.

The vulnerability was uncovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. Strýček confirmed to BleepingComputer that the bug was actively exploited: "ESET has observed spearphishing emails with attachments containing RAR files," he said.

These malicious archives were used to deploy RomCom backdoors. Also known as Storm-0978, Tropical Scorpius, or UNC2596, RomCom is a Russia-linked cybercrime group tied to ransomware, credential theft, and extortion operations.

The group has a track record of leveraging zero-day exploits and developing custom malware to maintain persistence, steal sensitive data, and conduct espionage operations. RomCom has also been associated with ransomware families such as Cuba and Industrial Spy.

ESET confirmed that a detailed report on the exploitation of this flaw will be released in the coming weeks.
Read more »
Subscribe to: Posts (Atom)