WinRAR Zero-Day Exploited by RomCom
WinRAR Zero-Day Exploited by RomCom: What IT Security Benelux Teams Must Do Now
By Marcal Santos, CISM, CDPSE · Updated 11 Aug 2025
TL;DR: A path-traversal WinRAR zero-day (CVE-2025-8088) was exploited in phishing campaigns to drop backdoors. Patch to WinRAR 7.13 immediately, then hunt for post-extraction persistence on endpoints. (BleepingComputer, The Hacker News, NVD)
1) Executive snapshot
What happened: A crafted archive abuses directory traversal so files land outside the chosen folder (e.g., Startup/AppData), enabling silent code execution. Fixed in WinRAR 7.13. Many installs do not auto-update. (BleepingComputer, The Hacker News)
Who’s behind it: Russia-linked RomCom (aka Void Rabisu / Storm-0978), a group with a record of mixing espionage and financially motivated ops and prior zero-day use. (Microsoft, Trend Micro, ESET)
Why Benelux cares: Heavily outsourced workflows + common use of archive files in procurement and logistics raise the odds of supply-chain phishing landing on unmanaged desktops—now in scope under NIS2 oversight. (NVD)
2) The vulnerability (CVE-2025-8088) in plain English
WinRAR failed to properly sanitize file paths inside archives. Attackers could craft an archive that, when extracted, places a payload outside the user’s selected directory—often where it auto-runs. This was exploited in the wild before the vendor pushed a fix in v7.13. Update is manual on most systems. (NVD, BleepingComputer, The Hacker News)
Related WinRAR bugs this year (patch anyway): CVE-2025-6218 (dir-trav/RCE class) also addressed earlier in 2025. (BleepingComputer)
3) Adversary profile: RomCom / Void Rabisu / Storm-0978
Aliases: RomCom, Storm-0978 (Microsoft), Void Rabisu (Trend Micro), UNC2596. (Microsoft, Trend Micro)
Track record: Targeted Europe/North America; campaigns against political events and gov-adjacent orgs; previous zero-days in Mozilla and Windows were documented by ESET. (ESET)
Tradecraft: Spear-phishing with trojanized installers/archives, backdoors for long-term positioning, occasional ransomware/extortion. (Trend Micro)
4) Likely attack chain (high level)
Phish with “invoice/update/tender” lure → victim opens archive.
Extraction triggers path traversal → payload lands in Startup/AppData/program directory.
Backdoor runs (immediate or on reboot) → C2 established; logs show WinRAR activity prior to new binary creation. (BleepingComputer)
5) Immediate actions (first 24 hours)
Patch all endpoints to WinRAR 7.13+. Block older versions via AppLocker/Intune/SRPs until verified. (WinRAR doesn’t auto-update reliably.) (The Hacker News)
Quarantine inbound archives from unknown senders; detonate in a sandbox before release. (BleepingComputer)
Hunt for post-extraction persistence (see queries below).
Message employees: archives ≠ safe by default; beware urgent “PO/invoice” lures.
6) Threat-hunting cheat-sheet
Windows Event/EDR search ideas
Creation of
.exe,.dll,.lnk,.js, or scheduled tasks within 5 minutes ofWinRAR.exeorunrar.exeexecution.File writes to:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%,%TEMP%,%LOCALAPPDATA%app directories you didn’t select during extraction.
New autoruns:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runright after archive extraction.
Sigma sketch
title: Post-Extraction Persistence After WinRAR Execution
logsource: { category: process_creation }
detection:
selection1:
Image|endswith: ['\\WinRAR.exe','\\unrar.exe']
selection2:
TargetFilename|contains:
- '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'
- '\\ProgramData\\'
- '\\AppData\\Local\\'
timeframe: 5m
condition: selection1 and selection2
level: high
7) Hardening checklist for IT Security Benelux
Block legacy WinRAR and require 7.13+ in software catalogs; enforce via MDM/BYOD policies. (The Hacker News)
Content filtering: flag or auto-analyze archives with
..\path components (indicator of traversal). (BleepingComputer)Email security: tighten file-type controls; rewrite/sandbox archives from external senders.
User training: refresh phishing modules for procurement, logistics, and finance—teams most exposed to “invoice” lures.
Incident playbooks: add WinRAR zero-day scenario to tabletop exercises; rehearse containment and comms.
8) Governance & NIS2 lens
For Benelux “essential/important” entities, timely patching and continuous detection of exploited vulnerabilities sit squarely under NIS2 Article 21 expectations. Supervisory bodies can demand evidence of configuration management, vulnerability handling, and incident-handling drills tied to actively exploited CVEs like CVE-2025-8088. (NVD)
9) What good looks like (control objectives)
MTTR for app-level vulns: ≤ 7 days for exploited CVEs; 24 h for internet-exposed or mass-used desktop apps (WinRAR falls here).
EDR coverage: 95 % of Windows endpoints with robust archive-extraction telemetry.
Awareness KPI: ≥ 90 % completion on “malicious archives” micro-training across at-risk roles.
Sources
Tom’s Hardware — summary & update guidance on WinRAR 7.13 and RomCom attribution. (Tom's Hardware)
NVD — CVE-2025-8088 path-traversal description, exploited-in-the-wild flag. (NVD)
BleepingComputer — exploitation details and fix in 7.13; phishing delivery of RomCom. (BleepingComputer)
The Hacker News — urgent manual-update advisory for the zero-day. (The Hacker News)
Trend Micro / Microsoft — background on RomCom/Void Rabisu/Storm-0978 operations and targeting. (Trend Micro, Microsoft)
ESET — RomCom history of zero-day use (Mozilla/Windows). (ESET)
Call to action
Need help with a 24-hour patch & hunt sprint across your Windows fleet? Book a rapid engagement with Trescudo: clients.trescudo.com/form1.
Disclaimer
This article is provided for general information only and does not constitute legal, compliance, or professional security advice. Every environment is unique—conduct a tailored risk assessment and consult qualified counsel before implementing controls.