In a disturbing turn of events, WinRAR zero-day exploit is being leveraged by Russian romantic comedy movies in focused assaults.
In a significant cybersecurity development, a high-risk WinRAR vulnerability, CVE-2025-8088, has been actively exploited by the RomCom Advanced Persistent Threat (APT) group since July 18, 2025. This path traversal flaw, with a CVSS score of 8.4, affects WinRAR versions 7.12 and below, including associated components like UnRAR.dll and command-line utilities on Windows.
The RomCom APT group, known for their targeted attacks, have leveraged this vulnerability in highly targeted social engineering campaigns. The attacks often disguise themselves as job application documents, luring targets into extracting weaponized RAR archives that trigger the payloads.
The exploitation technique involves the use of alternate data streams (ADSes) within the RAR files to hide and plant malicious files in locations enabling persistence and code execution. Upon successful compromise attempts, the RomCom group has been deploying backdoors such as SnipBot, RustyClaw, and Mythic agents, primarily targeting financial, manufacturing, defense, and logistics sectors in Europe and Canada.
Indicators of compromise (IoCs) include the presence of suspicious DLL files like extracted from RAR archives, detection of backdoors such as SnipBot, RustyClaw, and Mythic agents associated with RomCom activity, and the unexpected creation of shortcut (.lnk) files or malicious DLLs in Windows Startup or other sensitive directories after extracting suspicious archives.
To mitigate this vulnerability, immediate update to WinRAR version 7.13 or later is essential. Organizations should also employ network detection tools to identify vulnerable WinRAR versions and monitor for exploitation indicators.
It's important to note that this vulnerability was exploited as a zero-day by RomCom before the patch was issued. A miscreant even posted an ad for a working WinRAR zero-day exploit for $80,000 on a cybercrime forum at the end of June.
Intriguingly, at least one other gang, Paper Werewolf, has also been exploiting CVE-2025-8088 around the same time, according to Russian cybersecurity company BI.ZONE. The attacks begin with a phishing email that appears to be a job application and contains a CV with many malicious ADSes hidden from the victim.
The malicious executable, ApbxHelper.exe, is a modified version of PuTTY CAC, and uses an interesting anti-malware-analysis technique: it only executes the shellcode if the computer recently opened at least 69 earlier documents. The vulnerability, identified as CVE-2025-8088, uses ADSes for path traversal, and the malicious DLL file that decrypts and executes the shellcode also retrieves the domain name for the current machine, which includes the company name.
This article serves as a reminder for all organisations to stay vigilant and update their WinRAR versions promptly to protect against such threats. For more information, consult the resources below.
References:
- ESET Blog: WinRAR zero-day vulnerability CVE-2025-8088 is being actively exploited
- CVE Details: CVE-2025-8088
- Talos Intelligence: WinRAR Zero-Day Vulnerability CVE-2025-8088 is being actively exploited
- BI.ZONE: Russian APT group RomCom exploits WinRAR zero-day vulnerability CVE-2025-8088
- CyberScoop: WinRAR zero-day vulnerability being exploited in attacks, ESET says
Read also:
- Ford Discontinues Popular Top-Seller in Staggering Shift, Labeled as a "Model T Event"
- Best Strategies for Software Updates in SCCM and WSUS
- UNEX EV, U Power's collaborator, inks LOI with Didi Mobility for the implementation of UOTTA battery-swapping vehicles in Mexico.
- BYD introduces their in-house developed tablet, set to be unveiled in the upcoming Fang Cheng Bao Tai 7 event.
