Opened a WinRAR Archive? Congratulations — the Virus Is Already in Your Windows
Without a patch, WinRAR will stay safe for at most a day.
Without a patch, WinRAR will stay safe for at most a day.
A recently fixed WinRAR vulnerability, CVE-2025-8088, had already been exploited in targeted phishing attacks before the patch was released. The flaw belonged to the Directory Traversal class and was only resolved in WinRAR version 7.13. It allowed attackers to craft special archives that, when extracted, would place files not in the folder chosen by the user, but in a directory specified by the attacker. This mechanism enabled bypassing standard restrictions and injecting malicious code into critical Windows directories.
Unlike the normal scenario where files are extracted into a preselected location, the vulnerability made it possible to alter the extraction path to redirect contents into the OS’s startup folders. These include the per-user Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) and the system-wide Startup folder (%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp). On the next system login, any executable file placed there via the vulnerability would run automatically — effectively giving an attacker the ability to execute code remotely without the victim’s interaction.
The issue affected only Windows editions of WinRAR, RAR, UnRAR, their portable versions, and the UnRAR.dll library. Variants for Unix platforms, Android, and related source code were unaffected.
The danger was compounded by the fact that WinRAR does not have an auto-update feature. Users who do not manually check for new versions could remain vulnerable for months without realizing it. The developers strongly recommend manually downloading and installing WinRAR 7.13 from the official site (win-rar.com) to eliminate the possibility of exploitation.
The vulnerability was discovered by ESET researchers Anton Cherepanov, Peter Kocinar, and Peter Stricek. The latter confirmed it had been used in real phishing campaigns to deliver the RomCom malware. In these attacks, emails containing RAR archives with the CVE-2025-8088 exploit were sent to targets.
RomCom — also known as Storm-0978, Tropical Scorpius, or UNC2596 — specializes in ransomware attacks, data theft, and extortion, and also runs credential-stealing campaigns. Its arsenal includes custom malware designed for long-term system persistence, information theft, and backdoor creation for covert access to compromised devices.
The group is known for actively exploiting zero-day vulnerabilities in attacks and for collaborating with other ransomware operations, including Cuba and Industrial Spy. The current campaign leveraging the WinRAR flaw is yet another example of how RomCom combines technically sophisticated hacking techniques with social engineering to bypass defenses and infiltrate corporate networks.
ESET is preparing a detailed report on the incident, which will describe in depth the exploitation methods and technical details of the identified attacks.
