has discovered a zero-day vulnerability in WinRAR, exploited in the wild by Russia-aligned
https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
The vulnerability, which we assigned CVE-2025-8088, allows alternate data streams to be abused to perform path traversal. Attackers can fashion a RAR archive that, when opened, drops malicious payloads into the Windows startup directory, %TEMP%, %LOCALAPPDATA%, and others.
On July 24, we alerted the WinRAR team, which released version 7.13 just six days later. We advise all users to install the latest version as soon as possible. We would also like to thank the WinRAR team for its cooperation and quick response. https://x.com/WinRAR_RARLAB/status/1950903968923591138
Other WinRAR tools for Windows, such as the command line tools, UnRAR.dll, and the portable UnRAR source code, are also vulnerable and need to be updated.
We discovered this vulnerability being used by RomCom to deliver several different backdoors. We identified three distinct execution chains involving a SnipBot variant, RustyClaw, and the Mythic agent.
This vulnerability was also exploited by another threat actor, independently discovered by the Russian cybersecurity company BI.ZONE, who claim Paper Werewolf began using CVE-2025-8088 on July 22, just a few days after RomCom did.
https://bi.zone/expertise/blog/paper-werewolf-atakuet-rossiyu-s-ispolzovaniem-uyazvimosti-nulevogo-dnya-v-winrar/
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/romcom
