Cybersecurity researchers have uncovered that the Russian hacking group RomCom exploited a previously unknown flaw in WinRAR, tracked as CVE-2025-8088, in a series of zero-day attacks. The vulnerability was identified as a path traversal bug that enabled attackers to drop malicious payloads onto victims’ systems.
According to a report published by ESET, the flaw was discovered on July 18, 2025, when RomCom began using it in live campaigns. The issue stemmed from the abuse of alternate data streams (ADS) within specially crafted RAR archives. These archives contained hidden payloads designed to extract malicious files into specific Windows directories, including %TEMP%, %LOCALAPPDATA%, and the Startup folder, allowing malware to persist across reboots.
WinRAR released a patched version (7.13) on July 30, 2025, after being alerted by ESET. However, the official advisory at the time did not mention ongoing exploitation.
ESET’s analysis revealed three attack chains delivering different RomCom malware families:
- Mythic Agent – executed through a COM hijack, enabling command-and-control communications.
- SnipBot – a trojanized PuTTY CAC version that downloaded additional payloads.
- MeltingClaw – a modular malware framework used for further in
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from CySecurity News – Latest Information Security and Hacking IncidentsRead the original article: