ESET specialists reported that a recently patched vulnerability in WinRAR (CVE-2025-8088) was used as a 0-day in phishing attacks and was leveraged to install RomCom malware.
The vulnerability was related to directory traversal and was fixed at the end of July with the release of WinRAR version 7.13. The issue allowed the use of specially crafted archives to extract files to a path specified by the attackers.
“During extraction, previous versions of WinRAR, the Windows versions of RAR, UnRAR, the portable UnRAR source code, and the UnRAR.dll library could use a path from a specially crafted archive instead of the path specified by the user,” explained the archiver’s developers. “The Unix versions of RAR, UnRAR, the portable UnRAR source code and library, as well as RAR for Android, were not vulnerable.”
Thus, using this bug, attackers could create archives that unpacked malicious executable files into the Windows Startup folder located at:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (per-user);
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup (for all users).
Upon the next system logon, such a file would run automatically, allowing the attacker to execute code on the remote host.
In July 2025, experts at ESET discovered this issue, and now they report that, even before a patch was released, CVE-2025-8088 was being used in attacks as a zero-day vulnerability.
According to researchers, the vulnerability was exploited in targeted phishing attacks aimed at delivering malware associated with the RomCom hacking group (aka Storm-0978, Tropical Scorpius, and UNC2596), including variants such as SnipBot, RustyClaw, and Mythic.
Reports indicate that this campaign targeted financial, manufacturing, defense, and logistics companies in Canada and European countries.
Previously, the RomCom group was linked to ransomware attacks and data theft for extortion, as well as credential theft campaigns. RomCom is known for exploiting 0-day vulnerabilities and using custom malware to steal data and maintain persistence on systems.
ESET notes that recently the same vulnerability was exploited by another attacker and was independently discovered by the Russian company BI.ZONE. The second attacker began exploiting CVE‑2025‑8088 a few days after RomCom.
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →