ESET specialists reported that a recently patched vulnerability in WinRAR (CVE-2025-8088) was used as a 0-day in phishing attacks and was leveraged to install RomCom malware.
The vulnerability was related to directory traversal and was fixed at the end of July with the release of WinRAR version 7.13. The issue allowed the use of specially crafted archives to extract files to a path specified by the attackers.
“During extraction, previous versions of WinRAR, the Windows versions of RAR, UnRAR, the portable UnRAR source code, and the UnRAR.dll library could use a path from a specially crafted archive instead of the path specified by the user,” explained the archiver’s developers. “The Unix versions of RAR, UnRAR, the portable UnRAR source code and library, as well as RAR for Android, were not vulnerable.”
Thus, using this bug, attackers could create archives that unpacked malicious executable files into the Windows Startup folder located at:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (per-user);
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup (for all users).
Upon the next system logon, such a file would run automatically, allowing the attacker to execute code on the remote host.
In July 2025, experts at ESET discovered this issue, and now they report that, even before a patch was released, CVE-2025-8088 was being used in attacks as a zero-day vulnerability.
According to researchers, the vulnerability was exploited in targeted phishing attacks aimed at delivering malware associated with the RomCom hacking group (aka Storm-0978, Tropical Scorpius, and UNC2596), including variants such as SnipBot, RustyClaw, and Mythic.
Reports indicate that this campaign targeted financial, manufacturing, defense, and logistics companies in Canada and European countries.
Previously, the RomCom group was linked to ransomware attacks and data theft for extortion, as well as credential theft campaigns. RomCom is known for exploiting 0-day vulnerabilities and using custom malware to steal data and maintain persistence on systems.
ESET notes that recently the same vulnerability was exploited by another attacker and was independently discovered by the Russian company BI.ZONE. The second attacker began exploiting CVE‑2025‑8088 a few days after RomCom.