WinRAR Zero-Day (CVE-2025-8088) Exploited in the Wild by Russian-Linked Hackers

August 2025 – Cybersecurity Alert
A critical vulnerability has been discovered in WinRAR, the popular file archiver used by millions worldwide. The flaw, now tracked as CVE-2025-8088, is under active exploitation by the Russian-linked threat group RomCom (Storm-0978), with real-world attacks already confirmed.

🔍 What is the Vulnerability?

The flaw resides in WinRAR’s file extraction logic. It allows directory traversal — meaning an attacker can craft a malicious archive where files are extracted outside of the intended folder structure.

• Normally, when you unzip/unrar files, they should only extract inside the chosen directory.

• With this bug, attackers can force files to escape into system directories like Startup, Program Files, or even user profile folders.

• Result: malware executes automatically on the next reboot or user login.

🛠️ How Attackers Exploit It

RomCom has been observed weaponizing this zero-day with malicious RAR archives sent via phishing campaigns.

1. Victim receives an archive (often disguised as documents, invoices, or official communications).

2. The archive contains payloads like SnipBot, RustyClaw, or Mythic Agent.

3. Once extracted, the payload installs silently into system-critical directories.

4. Persistence is achieved by planting executables in Windows Startup paths, ensuring the malware runs automatically.

🎯 Who is Targeted?

According to early incident reports:

• Government organizations in Eastern Europe.

• NGOs providing humanitarian and cybersecurity support.

• Critical infrastructure partners linked with Ukraine.

• High-value enterprise environments vulnerable to manual patch delays.

This campaign aligns with Russia-linked groups’ prior geopolitical cyberespionage patterns.

🧑‍💻 Technical Indicators (IOCs)

• Malicious archives with nested paths:

  ..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\


• Known payloads:

  • SnipBot (credential theft, keylogging).

  • RustyClaw (modular backdoor with C2 communication).

  • Mythic Agent (post-exploitation framework).

• Command-and-control (C2) domains observed:

  • update-winrar[.]com

  • ms-securetools[.]org

🛡️ Mitigation & Patching

The vulnerability is patched in WinRAR v7.13.

• ❌ No auto-update mechanism exists — meaning users must manually download and install the patched version.

• ✔️ Recommended actions:

  • Immediately update to WinRAR 7.13.

  • Enable real-time AV/EDR scanning for unusual extraction paths.

  • Block suspicious outbound connections to newly registered domains.

  • Implement mail filtering rules against RAR attachments where possible.

⚖️ Why It Matters

This case underlines several long-standing issues in the cybersecurity field:

• Legacy Software Risk: WinRAR is decades-old and widely used, yet often neglected in patch management cycles.

• Zero-Day Speed: Attackers weaponized the bug before disclosure, highlighting the shrinking time defenders have to react.

• High-Impact Surface: File archivers are trusted utilities, making them perfect delivery vehicles for malware.

📌 Conclusion

The exploitation of CVE-2025-8088 marks yet another reminder that even the most mundane software can become a nation-state weapon when flaws are discovered. For defenders, the message is clear: patch immediately, monitor extraction activity, and treat file archivers as potential attack surfaces.

In the coming weeks, researchers expect wider adoption of this exploit by non-state cybercriminal groups, potentially bundling ransomware or info-stealers. Staying ahead requires urgent patching, proactive monitoring, and layered defense.