In a disturbing turn of events, WinRAR zero-day exploit is being leveraged by Russian romantic comedy movies in focused assaults.

In a disturbing turn of events, WinRAR zero-day exploit is being leveraged by Russian romantic comedy movies in focused assaults.

In a significant cybersecurity development, a high-risk WinRAR vulnerability, CVE-2025-8088, has been actively exploited by the RomCom Advanced Persistent Threat (APT) group since July 18, 2025. This path traversal flaw, with a CVSS score of 8.4, affects WinRAR versions 7.12 and below, including associated components like UnRAR.dll and command-line utilities on Windows.

The RomCom APT group, known for their targeted attacks, have leveraged this vulnerability in highly targeted social engineering campaigns. The attacks often disguise themselves as job application documents, luring targets into extracting weaponized RAR archives that trigger the payloads.

The exploitation technique involves the use of alternate data streams (ADSes) within the RAR files to hide and plant malicious files in locations enabling persistence and code execution. Upon successful compromise attempts, the RomCom group has been deploying backdoors such as SnipBot, RustyClaw, and Mythic agents, primarily targeting financial, manufacturing, defense, and logistics sectors in Europe and Canada.

Indicators of compromise (IoCs) include the presence of suspicious DLL files like extracted from RAR archives, detection of backdoors such as SnipBot, RustyClaw, and Mythic agents associated with RomCom activity, and the unexpected creation of shortcut (.lnk) files or malicious DLLs in Windows Startup or other sensitive directories after extracting suspicious archives.

To mitigate this vulnerability, immediate update to WinRAR version 7.13 or later is essential. Organizations should also employ network detection tools to identify vulnerable WinRAR versions and monitor for exploitation indicators.

It's important to note that this vulnerability was exploited as a zero-day by RomCom before the patch was issued. A miscreant even posted an ad for a working WinRAR zero-day exploit for $80,000 on a cybercrime forum at the end of June.

Intriguingly, at least one other gang, Paper Werewolf, has also been exploiting CVE-2025-8088 around the same time, according to Russian cybersecurity company BI.ZONE. The attacks begin with a phishing email that appears to be a job application and contains a CV with many malicious ADSes hidden from the victim.

The malicious executable, ApbxHelper.exe, is a modified version of PuTTY CAC, and uses an interesting anti-malware-analysis technique: it only executes the shellcode if the computer recently opened at least 69 earlier documents. The vulnerability, identified as CVE-2025-8088, uses ADSes for path traversal, and the malicious DLL file that decrypts and executes the shellcode also retrieves the domain name for the current machine, which includes the company name.

This article serves as a reminder for all organisations to stay vigilant and update their WinRAR versions promptly to protect against such threats. For more information, consult the resources below.

References:

1. ESET Blog: WinRAR zero-day vulnerability CVE-2025-8088 is being actively exploited
2. CVE Details: CVE-2025-8088
3. Talos Intelligence: WinRAR Zero-Day Vulnerability CVE-2025-8088 is being actively exploited
4. BI.ZONE: Russian APT group RomCom exploits WinRAR zero-day vulnerability CVE-2025-8088
5. CyberScoop: WinRAR zero-day vulnerability being exploited in attacks, ESET says
6. The RomCom APT group, known for their targeted attacks, have used AI to create convincing job application documents as part of their social engineering campaigns, exploiting the CVE-2025-8088 bug in WinRAR to plant malware in the finance, manufacturing, defense, and logistics sectors.
7. The use of alternate data streams (ADSes) within RAR files, a technique employed by the RomCom group, allows them to hide malicious files in a way that bypasses common cybersecurity measures, posing a significant threat to technology businesses.
8. In response to the active exploitation of CVE-2025-8088, cybersecurity organizations recommend immediate updates to WinRAR versions 7.13 or later, as well as the use of network detection tools to identify vulnerable systems and monitor for IoCs such as suspicious DLL files, backdoors like SnipBot, RustyClaw, and Mythic agents, and unexpected malicious files in sensitive directories.
9. The aftermath of the CVE-2025-8088 vulnerability has seen the emergence of other cybercriminal groups like Paper Werewolf, who have also leveraged this bug in phishing email attacks, demonstrating the widespread impact and ongoing relevance of this security issue in the current business landscape.

Read also: