Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-8088: WinRAR Zero-Day Exploited in Targeted Attacks
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Aug 11, 2025
6 Mins Read
Moon

CVE-2025-8088: WinRAR Zero-Day Exploited in Targeted Attacks

A newly discovered zero-day vulnerability in the popular file archive tool WinRAR, tracked as CVE-2025-8088, has been actively exploited in targeted attacks across multiple sectors. The flaw has been linked to Russia-aligned hacking group RomCom, marking yet another high-profile exploit in their arsenal.

The details behind this bug reveal just how creative attackers have become in turning everyday utilities into cyber weapons.

What is CVE-2025-8088?

CVE-2025-8088 (CVSS 8.4) is a path traversal vulnerability affecting Windows versions of WinRAR, along with related tools such as the UnRAR.dll and its portable source code. The flaw stems from the way WinRAR processes alternate data streams (ADSes) within specially crafted archive files.

By embedding malicious payloads in ADSes and manipulating file paths, an attacker can trick WinRAR into extracting files outside the user’s intended directory. This means that a seemingly harmless RAR file can deposit dangerous files (such as malicious DLLs or executable links) into sensitive system locations like the Windows Startup folder, where they execute automatically on login.

CVE-2025-8088 (SOCRadar Vulnerability Intelligence)

CVE-2025-8088 (SOCRadar Vulnerability Intelligence)

Which WinRAR Versions Are Affected?

All WinRAR versions up to and including 7.12 are vulnerable to CVE-2025-8088.

When Was the Exploitation First Observed?

ESET’s investigation revealed that exploitation in the wild began as early as July 18, 2025.

Is There a Patch Available?

The issue was fixed on July 30, 2025 with the release of WinRAR 7.13.

How the Exploit Works

At first glance, the archive appears to contain a single innocuous file, often something like a resume or application document. Hidden from the user’s view, however, are multiple malicious ADS entries, some containing real payloads and others filled with dummy data to distract from the real threat.

When the victim extracts the archive:

  • Malicious DLLs may be placed in %TEMP% or %LOCALAPPDATA%
  • Crafted .lnk shortcut files can be dropped into the Startup folder
  • Persistence is achieved by ensuring payloads run automatically on reboot

Attackers use path traversal sequences (..) within ADS paths to force files into unintended directories. WinRAR does display warnings about invalid paths, but the attackers deliberately include errors that look benign to bury suspicious entries in a long list of extraction messages.

Who is Behind the Attacks?

ESET attributes the CVE-2025-8088 exploitation to RomCom, also tracked as Storm-0978, Tropical Scorpius, and UNC2596. This group is known for both cyberespionage and financially motivated operations, and has a history of zero-day exploitation.

Previous RomCom campaigns have included:

In this campaign, RomCom specifically targeted financial, defense, manufacturing, and logistics companies in Europe and Canada. The lures? Highly targeted spearphishing emails disguised as job applications, carrying RAR files with the exploit embedded.

Who is RomCom? Details of the threat actor group are available via SOCRadar’s Threat Actor Intelligence

Who is RomCom? Details of the threat actor group are available via SOCRadar’s Threat Actor Intelligence

Attackers change their tactics and tools all the time. Tracking their moves manually is nearly impossible. SOCRadar’s Threat Actor Intelligence, under the Cyber Threat Intelligence module, keeps tabs on threat groups and malware campaigns, giving you up-to-date profiles and activity alerts. This helps your security team understand who’s behind attacks and what they’re up to, so you can prepare smarter defenses.

Attack Chains and Payloads

ESET identified three distinct execution chains in the CVE-2025-8088 exploitation campaigns:

1. Mythic Agent via COM Hijacking

  • A malicious .lnk places a DLL in %TEMP%
  • Registry manipulation hijacks COM object PSFactoryBuffer
  • DLL decrypts and executes embedded shellcode
  • Connects to a C2 server for further instructions, with targeting logic that only runs on specific domains

2. SnipBot Variant with Anti-Analysis

  • .lnk launches a trojanized PuTTY CAC executable (ApbxHelper.exe)
  • Uses anti-sandbox checks by verifying recent document activity
  • Downloads and executes secondary payloads from attacker-controlled infrastructure

3. RustyClaw and MeltingClaw Downloaders

  • .lnk triggers Complaint.exe (RustyClaw)
  • Fetches additional malware, including the MeltingClaw downloader
  • Uses separate C2 infrastructure from SnipBot for modular control

Other Threat Actors Exploiting the Flaw

Interestingly, RomCom was not the only group exploiting CVE-2025-8088. Cybersecurity firm BI.ZONE reported that another threat actor, Paper Werewolf, also leveraged the vulnerability, possibly after purchasing an exploit from a dark web vendor advertising it for $80,000. Paper Werewolf reportedly combined CVE-2025-8088 with an earlier WinRAR flaw, CVE-2025-6218, in phishing campaigns against Russian organizations.

CVE-2025-6218 (SOCRadar Vulnerability Intelligence)

CVE-2025-6218 (SOCRadar Vulnerability Intelligence)

You can’t fix what you don’t see. Without clear visibility into exposed assets and vulnerabilities, it is difficult to prioritize your efforts. SOCRadar’s Attack Surface Management and Vulnerability Intelligence help you spot risks early and provide timely alerts on new vulnerabilities and ongoing attacks.

Why CVE-2025-8088 Demands Immediate Attention

File archiving tools like WinRAR are ubiquitous in both personal and enterprise environments. A vulnerability in such software is particularly dangerous because:

  • It requires only minimal user interaction (extracting an archive)
  • It bypasses typical user awareness since extraction is a trusted action
  • It can target highly privileged system locations for code execution

Moreover, this isn’t WinRAR’s first brush with severe vulnerabilities – CVE-2023-38831 was exploited heavily by multiple APTs in 2023. The recurrence of such flaws emphasizes the importance of keeping even seemingly basic utilities updated.

How to Protect Against CVE-2025-8088

Update Immediately

  • Upgrade to WinRAR 7.13 or later. This version fixes CVE-2025-8088 and other issues.
  • If your organization uses software that relies on UnRAR.dll, ensure those dependencies are updated too.

Educate Users

  • Reinforce spearphishing awareness, especially around job applications or CV-themed attachments.
  • Train staff to verify sender legitimacy before opening archives.

Restrict Archive Extraction Paths

  • Configure extraction defaults to user-writable directories only.
  • Block execution from temporary folders where possible.

Monitor for Indicators of Compromise

  • Look for unexpected .lnk files in Startup directories.
  • Check for unknown DLLs in %TEMP% or %LOCALAPPDATA%.
  • Review outbound network connections to suspicious domains.

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) associated with CVE-2025-8088 exploitation include the following, per ESET’s research.

Malicious Files

  • Adverse_Effect_Medical_Records_2025.rar
    SHA-1: 371A5B8BA86FBCAB80D4E0087D2AA0D8FFDDC70B
    LNK/Agent.AJN, Win64/Agent.GPM
  • cv_submission.rar
    SHA-1: D43F49E6A586658B5422EDC647075FFD405D6741
    LNK/Agent.AJN, Win64/Agent.GPM
  • Eli_Rosenfeld_CV2 – Copy (10).rar
    SHA-1: F77DBA76010A9988C9CEB8E420C96AEBC071B889
    Win64/Agent.GMQ
  • Datos adjuntos sin título 00170.dat
    SHA-1: 676086860055F6591FED303B4799C725F8466CF4
    LNK/Agent.AJN, Win64/Agent.GPM
  • JobDocs_July2025.rar
    SHA-1: 1F25E062E8E9A4F1792C3EAC6462694410F0F1CA
    LNK/Agent.AJN, Win64/TrojanDownloader.Agent.BZV
  • Recruitment_Dossier_July_2025.rar
    SHA-1: C94A6BD6EC88385E4E831B208FED2FA6FAED6666
    LNK/Agent.AJN, Win64/TrojanDownloader.Agent.BZV
  • install_module_x64.dll
    SHA-1: 01D32FE88ECDEA2B934A00805E138034BF85BF83
    Win64/Agent.GNV (MeltingClaw)
  • msedge.dll
    SHA-1: AE687BEF963CB30A3788E34CC18046F54C41FFBA
    Win64/Agent.GMQ (Mythic agent)
  • Complaint.exe
    SHA-1: AB79081D0E26EA278D3D45DA247335A545D0512E
    Win64/TrojanDownloader.Agent.BZV (RustyClaw)
  • ApbxHelper.exe
    SHA-1: 1AEA26A2E2A7711F89D06165E676E11769E2FD68
    Win64/Agent.GPM (SnipBot variant)

C2 Infrastructure

  • 162.19.175[.]44 – gohazeldale[.]com – OVH SAS – MeltingClaw C2
  • 194.36.209[.]127 – srlaptop[.]com – CGI GLOBAL LIMITED – Mythic agent C2
  • 85.158.108[.]62 – melamorri[.]com – HZ-HOSTING-LTD – RustyClaw C2
  • 185.173.235[.]134 – campanole[.]com – FiberXpress BV – SnipBot C2