A critical zero-day vulnerability (CVE-2025-8088) in **WinRAR’s Windows version (pre-7.13)** enabled path traversal attacks, allowing threat actors to deploy malware via malicious RAR archives. Exploited by **RomCom (Storm-0978)** and **Paper Werewolf (GOFFEE)**, the flaw facilitated phishing campaigns targeting financial, manufacturing, defense, and logistics sectors in **Europe, Canada, and Russia**. Attackers disguised malicious archives as job resumes or official communications, deploying backdoors (SnipBot, RustyClaw, Mythic) for persistence and data exfiltration. The exploit leveraged **alternate data streams (ADS)** to hide payloads in Windows Startup folders, achieving **remote code execution** upon user login. While no mass exploitation was reported by August 2025, the vulnerability’s **public disclosure (CVSS 8.8)** and dark web sale ($80,000) heightened risks of copycat attacks. Organizations faced potential **data breaches, system compromises, and operational disruptions**, though no confirmed large-scale data leaks or ransomware incidents were tied to this flaw. Patching (WinRAR 7.13) mitigated the risk, but delayed updates left users exposed to **targeted cyber espionage and financial theft**.
Source: https://cybersecuritynews.com/winrar-0-day-exploited/
TPRM report: https://www.rankiteo.com/company/win.rar-gmbh
"id": "win748081525",
"linkid": "win.rar-gmbh",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': ['Finance',
'Manufacturing',
'Defense',
'Logistics'],
'location': ['Europe', 'Canada'],
'name': 'Unspecified organizations in Europe/Canada',
'type': ['Financial institutions',
'Manufacturing firms',
'Defense contractors',
'Logistics companies']},
{'location': 'Russia',
'name': 'Unspecified Russian organizations'}],
'attack_vector': ['Malicious RAR archives',
'Phishing emails (job applications, official '
'communications)',
'Alternate Data Streams (ADS)',
'Specially crafted file paths'],
'customer_advisories': ['Avoid opening RAR files from untrusted sources.',
'Verify WinRAR version and update manually if '
'necessary.',
'Report suspicious job application emails with '
'attachments.'],
'data_breach': {'data_exfiltration': ['Likely (via SnipBot/RustyClaw '
'backdoors)'],
'file_types_exposed': ['DLL files',
'Malicious payloads hidden in RAR '
'archives'],
'sensitivity_of_data': 'High (defense, financial, and '
'logistics sectors targeted)',
'type_of_data_compromised': ['Potential corporate data',
'System credentials (via '
'backdoors)']},
'date_detected': '2025-07-18',
'date_publicly_disclosed': '2025-07-18',
'date_resolved': '2025-07-30',
'description': 'A zero-day vulnerability (CVE-2025-8088) in WinRAR for '
'Windows allows attackers to execute arbitrary code via '
'specially crafted archives. The path traversal flaw stems '
'from improper handling of file paths during extraction, '
'enabling malicious archives to place files in unauthorized '
'locations (e.g., Windows Startup folders). Attackers leverage '
'alternate data streams (ADS) to hide payloads in benign RAR '
'files, deploying silently upon extraction. Exploitation has '
'been linked to RomCom (Storm-0978) and Paper Werewolf '
'(GOFFEE) threat groups, targeting financial, manufacturing, '
'defense, logistics, and Russian organizations via phishing '
'emails disguised as job applications or official '
'communications. The exploit was patched in WinRAR 7.13, '
'released on July 30, 2025.',
'impact': {'brand_reputation_impact': ['High (due to zero-day association '
'with WinRAR)',
'Erosion of trust in file-sharing '
'tools'],
'data_compromised': ['Potential corporate/defense data (via '
'backdoors)',
'User system integrity'],
'operational_impact': ['Risk of remote code execution on next '
'login',
'Potential for lateral movement within '
'networks'],
'systems_affected': ['Windows systems running WinRAR < 7.13',
'Startup folders',
'%TEMP% directories']},
'initial_access_broker': {'backdoors_established': ['SnipBot',
'RustyClaw',
'Mythic agents'],
'data_sold_on_dark_web': ['Exploit code sold for '
'$80,000 in late June '
'2025'],
'entry_point': ['Phishing emails with malicious RAR '
'attachments',
'Exploit purchased on dark web '
'forum ($80,000 in late June 2025)'],
'high_value_targets': ['Financial, manufacturing, '
'defense, logistics sectors '
'(RomCom)',
'Russian organizations '
'(Paper Werewolf)'],
'reconnaissance_period': ['RomCom: July 18–21, 2025',
'Paper Werewolf: Timing '
'unspecified (post-June '
'2025)']},
'investigation_status': 'Ongoing (as of 2025-08-15; no widespread attacks '
'beyond targeted phishing reported)',
'lessons_learned': ['Delayed patching exacerbates risks in widely used '
'software.',
'Compressed files (e.g., RAR) remain high-risk vectors '
'for phishing.',
'Alternate Data Streams (ADS) can bypass traditional '
'security controls.',
'Threat actors rapidly adopt zero-days sold on dark web '
'forums.',
'Manual update checks are critical for software lacking '
'auto-update features.'],
'motivation': ['Espionage',
'Data exfiltration',
'Persistence',
'Financial gain (exploit sold for $80,000)'],
'post_incident_analysis': {'corrective_actions': ['Patch path traversal '
'vulnerability in WinRAR '
'7.13.',
'Enhance email filtering '
'for RAR attachments.',
'Improve user education on '
'phishing and manual '
'updates.',
'Monitor for copycat '
'campaigns post-public '
'disclosure.'],
'root_causes': ['Improper file path handling in '
'WinRAR’s extraction logic.',
'Lack of auto-update mechanism for '
'older WinRAR versions.',
'Effectiveness of phishing as an '
'initial access vector.',
'Rapid weaponization of zero-days '
'post-dark web sale.']},
'recommendations': ['Immediately update WinRAR to version 7.13 or later.',
'Block RAR attachments in email gateways where possible.',
'Scan systems for indicators of compromise (e.g., '
'unexpected files in Startup/%TEMP%).',
'Educate employees on phishing risks, especially job '
'application-themed emails.',
'Monitor dark web forums for exploit sales to anticipate '
'attacks.',
'Implement network segmentation to limit lateral '
'movement.',
'Use behavioral analysis tools to detect anomalous file '
'extraction behavior.'],
'references': [{'date_accessed': '2025-07-18', 'source': 'ESET Research'},
{'date_accessed': '2025-07-30',
'source': 'WinRAR Changelog (Version 7.13)'},
{'source': 'CVSS Score (8.8)'}],
'response': {'communication_strategy': ['Public advisory via ESET and WinRAR',
'Demonstration video (with caution '
'against unverified sources)',
'Urgent update notifications'],
'containment_measures': ['Patch release (WinRAR 7.13 on '
'2025-07-30)',
'Scanning for indicators of compromise '
'(e.g., unexpected files in %TEMP% or '
'Startup directories)',
'Enhanced email filtering to block RAR '
'attachments'],
'enhanced_monitoring': ['Monitoring for exploit attempts '
'post-disclosure'],
'incident_response_plan_activated': True,
'remediation_measures': ['Manual update checks (via Help > About '
'WinRAR)',
'Download updates from official sources '
'only',
'User education on phishing risks'],
'third_party_assistance': ['ESET researchers (discovery and '
'analysis)']},
'stakeholder_advisories': ['Urgent patching advisory for WinRAR users.',
'Warning about phishing campaigns leveraging RAR '
'attachments.',
'Guidance for detecting exploitation attempts '
'(e.g., unexpected files in Startup folders).'],
'threat_actor': [{'alignment': 'Russia-aligned',
'malware_deployed': ['SnipBot',
'RustyClaw',
'Mythic agents'],
'name': 'RomCom (Storm-0978)',
'tactics': 'Phishing (malicious RAR attachments disguised '
'as resumes)',
'targets': ['Financial sector',
'Manufacturing',
'Defense',
'Logistics (Europe, Canada)']},
{'name': 'Paper Werewolf (GOFFEE)',
'tactics': 'Phishing (mimicking official communications '
'from a research institute)',
'targets': ['Russian organizations']}],
'title': 'WinRAR Zero-Day Path Traversal Vulnerability (CVE-2025-8088) '
'Exploited in Targeted Phishing Campaigns',
'type': ['Zero-day exploit',
'Path traversal vulnerability',
'Arbitrary code execution',
'Phishing campaign'],
'vulnerability_exploited': 'CVE-2025-8088 (WinRAR path traversal flaw in '
'Windows versions < 7.13)'}