WinRAR zero-day exploited to plant malware on archive extraction
by lulagain - Sunday August 10, 2025 at 09:03 PM
GOD User
user_26014
Posts: 443
Threads: 266
Joined: Aug 2023
Reputation: 781
#1
Yesterday, 09:03 PM
A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
"When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path," reads the WinRAR 7.13 changelog.
"Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected."
Using this vulnerability, attackers can create archives that extract executables into autorun paths, such as the Windows Startup folder located at:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Local to user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (Machine-wide)
The next time a user logs in, the executable will automatically run, allowing the attacker to achieve remote code execution.
As WinRAR does not include an auto-update feature, it is strongly advised that all users manually download and install the latest version from win-rar.com so they are protected from this vulnerability.
Exploited as a zero-day in attacks
The flaw was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, with Strýček telling BleepingComputer that it was actively exploited in phishing attacks to install malware.
"ESET has observed spearphishing emails with attachments containing RAR files," Strýček told BleepingComputer.
These archives exploited the CVE-2025-8088 to deliver RomCom backdoors. RomCom is a Russia-aligned group."
RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking group linked to ransomware and data-theft extortion attacks, along with campaigns focused on stealing credentials.
The group is known for its use of zero-day vulnerabilities in attacks and the use of custom malware for use in data-theft attacks, persistence, and to act as backdoors.
RomCom has previously been linked to numerous ransomware operations, including Cuba and Industrial Spy.
ESET is working on a report regarding the exploitation, which will be published at a later date.
[Image: 128.gif]
@Ater  @antisocial My Nigga's
Website
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Police detains Smokeloader malware customers, seizes servers lulagain 0 300 04-09-2025, 10:20 PM
Last Post: lulagain
  Dozens of solar inverter flaws could be exploited to attack power grids lulagain 1 239 03-28-2025, 10:55 PM
Last Post: edenyardenxx
  FBI warnings are true—fake file converters do push malware lulagain 0 232 03-25-2025, 10:54 AM
Last Post: lulagain
  Critical RCE flaw in Apache Tomcat actively exploited in attacks lulagain 0 298 03-18-2025, 03:21 PM
Last Post: lulagain
  DeepSeek can be gently persuaded to spit out malware code lulagain 2 628 03-14-2025, 06:15 PM
Last Post: kplom

Forum Jump:


 Users browsing this thread: 1 Guest(s)