WinRAR 0-Day Vulnerability Exploited in Phishing Attacks

Red Dog Security

13 Aug 2025 — 1 min read

Security researchers at ESET have confirmed that a recently patched flaw in WinRAR (CVE-2025-8088) was exploited as a zero-day in phishing campaigns to deliver the RomCom malware.

The vulnerability, a directory traversal issue, was addressed in late July with the release of WinRAR version 7.13. It allowed attackers to craft malicious archives that extracted files to arbitrary paths chosen by the attacker, bypassing the user-specified extraction location.

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, the portable UnRAR source code, and the UnRAR.dll library could use a path from a specially crafted archive instead of the user-specified path,” the developers explained. “Unix versions of RAR, UnRAR, portable UnRAR source code, and the UnRAR library, as well as RAR for Android, were not affected.”

By exploiting the bug, attackers could drop malicious executables directly into Windows startup folders, enabling automatic execution upon the next login:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (current user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup (all users)

Once placed in these locations, the payload would run automatically at system startup, granting the attacker code execution on the compromised machine.

Zero-Day Exploitation Before Patch

ESET researchers first identified the flaw in July 2025 and have now confirmed that CVE-2025-8088 was actively exploited before the official patch release.

The zero-day was leveraged in targeted phishing attacks attributed to the RomCom hacking group—also tracked as Storm-0978, Tropical Scorpius, and UNC2596. Payloads included malware families such as SnipBot, RustyClaw, and Mythic.

According to ESET, the campaign targeted organizations in the financial, manufacturing, defense, and logistics sectors across Canada and Europe.

RomCom’s Track Record

RomCom is linked to ransomware operations, credential theft, and extortion schemes. The group has a history of exploiting zero-day vulnerabilities and deploying custom malware to ensure persistence and facilitate data exfiltration.

ESET also reported that CVE-2025-8088 was independently exploited by a second, unrelated threat actor. Russian cybersecurity firm BI.ZONE observed this separate campaign, noting that the second attacker began using the flaw only days after RomCom.

Jon von Tetzchner Speaks Out Against AI in Browsers

Jon von Tetzchner, head of the Norwegian company Vivaldi Technologies, developer of the Vivaldi browser, has voiced strong criticism of efforts to integrate AI models directly into web browsers. In his view, the industry’s push to merge AI with everyday browsing has already gone too far. AI in Browsers:

Endless Nonsense. An Editor's Column

They say evolution “invented” the crab at least five times—meaning five different species independently evolved into something crab-like. Scientists call this carcinization. The same process seems to be happening with social networks. Only instead of turning into crabs, they all turn into TikTok. Open any platform—YouTube, X, even

Law Enforcement Shuts Down Fake Identity Creation Service VerifTools

The FBI and Dutch police have announced the takedown of VerifTools, an underground marketplace that specialized in producing fake identity documents. During the operation, authorities seized both physical and virtual servers located in Amsterdam. A Marketplace for Fake IDs VerifTools operated as a large-scale platform for creating and selling fraudulent

NX Falls Victim to Supply Chain Attack: Hackers Steal Thousands of Secrets

The maintainers of NX have disclosed a major supply chain attack, dubbed s1ngularity, which occurred on August 26, 2025. The compromise of a developer’s token allowed attackers to publish malicious versions of the popular npm package and related tools, enabling them to steal user data on a large scale.