WinRAR Zero‑Day CVE‑2025‑8088: Phishing Campaigns Planting the ‘RomCom’ RAT

WinRAR Zero‑Day CVE‑2025‑8088: Phishing Campaigns Planting the ‘RomCom’ RAT

When a file is a doorway, every click can be a risk. That’s precisely what happened on August 8th, when a previously patched WinRAR flaw – CVE‑2025‑8088 – was leveraged in large‑scale phishing campaigns to drop the malicious “RomCom” backdoor onto unsuspecting victims. The attack demonstrates how a single unpatched path traversal flaw can become a pivot for sophisticated intrusion, especially when disguised as mundane archive files.

Background

WinRAR, a widely‑used compression utility, was already vulnerable to a path traversal flaw that allowed attackers to execute code by opening a specially crafted RAR archive. While a patch for CVE‑2025‑8088 was released in early July, evidence surfaced that threat actors had been actively abusing the zero‑day in phishing attacks as early as April 2025. According to Group‑IB, the attacks targeted Ukrainian entities, with tactics tracing back to a group with ties to Russia’s Gamaredon. The exploit culminated in the installation of the RomCom RAT, enabling full‑blown remote access and data exfiltration.

Technical Analysis

The vulnerability is rooted in WinRAR’s ZIP archive handling a ZIP file contains a file and a folder with identical names, WinRAR mistakenly conflates them, leading to directory traversal outside the intended extraction path. Attackers can exploit this by creating a ZIP archive that:

  • Includes a folder named %AppData%\WinRAR that forces WinRAR to write to its own installation directory.
  • Places a file with the same name as that folder, causing it to be extracted into WinRAR’s startup folder.
  • The executable in the startup folder is then automatically launched every time WinRAR starts, without user interaction or elevation prompts.
The malicious archive, named to mimic a Ukrainian drone warfare training initiative, was distributed via phishing emails. When recipients extracted the file, the RomCom backdoor was silently deployed, granting attackers persistence, credential harvesting, and Office document theft.

Impact & Implications

Although the initial campaign focused on Ukrainian organizations, the nature of the exploit – a commonly used compression tool – means any day‑to‑day user of WinRAR is potentially at risk. The RomCom RAT’s capabilities (remote shell, credential dumping, file exfiltration) can be chained with other malware families, amplifying threat actor reach. Moreover, the use of file‑name collision tactics is reminiscent of older abuses, reminding defenders that legacy tooling can still be a vector if not patched.

Defensive Recommendations

Defenders should adopt a layered response:

  • Apply the CVE‑2025‑8088 patch immediately on all Windows hosts using WinRAR.
  • Harden user awareness: flag ZIP or RAR attachments, especially those with “.RAR” extension outside of known vendors.
  • Implement application whitelisting: block execution of unapproved binaries from the WinRAR startup folder.
  • Leverage process monitoring to detect abnormal WinRAR launches from non‑standard directories.
  • Continuously scan for the RomCom backdoor signature (e.g., specific registry keys, file paths) and remediate promptly.
  • Adopt least‑privilege desktop usage: restrict users from installing or running WinRAR without MFA checks.
Regular vulnerability windows should be evaluated for critical utilities, and any files retrieved from untrusted sources should be checked with sandboxed extraction before opening.

Conclusion

The WinRAR CVE‑2025‑8088 exploitation underscores how even well‑known, trusted software can become a weapon if overlooked. It reminds us that the security community must treat every file, archive, or attachment as a potential threat vector. By promptly patching, tightening user controls, and monitoring for anomalous behaviors, organizations can blunt these zero‑days before they materialize into full‑blown intrusions.