Attackers are actively exploiting a newly uncovered WinRAR zero-day flaw to deliver multiple malware strains. The attacks, linked to the Russia-aligned RomCom group, used specially crafted RAR archives to plant malicious files in sensitive system locations.
How the Exploit Worked
The vulnerability, tracked as CVE-2025-8088, is a path traversal flaw in WinRAR for Windows. Attackers used Alternate Data Streams (ADS) to hide malicious files within archives. When extracted, these files could be placed in hidden or autorun directories, including %TEMP%, %LOCALAPPDATA%, and Windows Startup folders. This allowed them to run automatically without user interaction.
Malware Delivered in the Attacks
Researchers identified three malware families deployed through these attacks:
- Mythic Agent – Executes via COM hijacking, runs shellcode, and connects to a command-and-control server.
- SnipBot Variant – Disguised as a fake PuTTY CAC tool, it activates only under certain system conditions.
- MeltingClaw (RustyClaw) – A backdoor capable of downloading and running additional malicious modules.
Researchers have linked all three strains to the RomCom threat group, also tracked as Storm-0978, Tropical Scorpius, or UNC2596.
Attribution and Attack Campaigns
The attacks have been observed in phishing campaigns delivering malicious RAR files to targets. Once opened and extracted, the payloads embedded in these archives could execute immediately or lay dormant for later activation, depending on the malware’s programming.
Patch and Mitigation
WinRAR patched the vulnerability in version 7.13 on July 30, 2025, after ESET researchers alerted the company. Security experts strongly urge users to update immediately to avoid compromise. Developers had already fixed a separate path traversal flaw (CVE-2025-6218) in June 2025.
Conclusion
The WinRAR zero-day exploitation highlights how common software can become a gateway for advanced cyber-espionage operations. With RomCom’s growing activity, keeping WinRAR updated is critical to reducing risk. Users should also avoid extracting archives from unknown sources, as even familiar file types can carry hidden threats.
0 responses to “WinRAR Zero-Day Exploited to Deploy RomCom Malware”