Ethical Hacking News
WinRAR zero-day attacks have infected PCs with malware, exploiting a path traversal vulnerability in the popular archiver tool. The Russian cyberespionage group RomCom has been linked to the attacks, which delivered known malware families using three distinct attack chains.
Researchers have discovered a WinRAR zero-day attack attributed to the Russian cyberespionage threat group "RomCom". The attack leveraged an undocumented path traversal vulnerability in WinRAR to inject malicious payloads into archives. The attackers used specially crafted RAR archives with hidden Alternate Data Streams (ADS) payloads that concealed malicious DLL and Windows shortcut files. The malware was executed upon login, creating a sophisticated and stealthy attack vector. Three distinct attack chains were documented, all of which delivered known RomCom malware families. The RomCom group has a history of targeting zero-day vulnerabilities in various software products. A patch for the WinRAR vulnerability was released on July 30th, 2025, but there was no mention of active exploitation. Experts stress the importance of keeping software up-to-date and taking proactive measures to protect against emerging threats.
In a shocking revelation, researchers have shed light on the WinRAR zero-day attacks that infected PCs with malware. This malicious exploitation of a vulnerability in the popular archiver tool has left cybersecurity experts scrambling to understand the implications and take necessary measures to protect users.
The WinRAR zero-day attack, attributed to the Russian cyberespionage threat group "RomCom" (also known as Storm-0978 and Tropical Scorpius), was first discovered by ESET researchers on July 18, 2025. The attack leveraged an undocumented path traversal vulnerability in WinRAR, which allowed attackers to inject malicious payloads into archives without raising any warnings.
According to a report published by ESET today, the RomCom group used this vulnerability to create specially crafted RAR archives that contained hidden Alternate Data Streams (ADS) payloads. These ADS entries were designed to conceal the presence of malicious DLL and Windows shortcut files, which were then extracted into attacker-specified folders when the targets opened the archive.
The attackers placed the executables in the %TEMP% or %LOCALAPPDATA% directories, while the Windows shortcuts (LNK files) were dropped in the Windows Startup directory. This ensured that the malware would be executed upon subsequent login, creating a sophisticated and stealthy attack vector.
ESET documented three distinct attack chains, all of which delivered known RomCom malware families:
* **Mythic Agent**: Updater.lnk adds msedge.dll to a COM hijack registry location, which decrypts AES shellcode and runs only if the system's domain matches a hardcoded value. This launches the Mythic agent, enabling C2 communication, command execution, and payload delivery.
* **SnipBot**: Display Settings.lnk runs ApbxHelper.exe, a modified PuTTY CAC with an invalid certificate. It checks for ≥69 recently opened documents before decrypting shellcode that downloads additional payloads from attacker servers.
* **MeltingClaw**: Settings.lnk launches Complaint.exe (RustyClaw), which downloads a MeltingClaw DLL that fetches and executes more malicious modules from the attacker's infrastructure.
The RomCom group's use of WinRAR zero-day exploitation is not an isolated incident. The group has a history of targeting zero-day vulnerabilities in various software products, including Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884).
It is worth noting that the patch for the WinRAR vulnerability, assigned the identifier CVE-2025-8088, was released by the developer on July 30th, 2025, with version 7.13. However, there was no mention of active exploitation in the accompanying advisory.
The ESET report highlights the importance of keeping software up-to-date and taking proactive measures to protect against emerging threats. WinRAR's popularity among power users and organizations makes it a prime target for hackers. Furthermore, the lack of an auto-update feature means that users must manually download and install the latest version from the official website.
As cybersecurity threats continue to evolve, it is essential for individuals and organizations to remain vigilant and take necessary precautions to protect themselves. This includes regularly updating software, using strong passwords, and implementing robust security measures to prevent exploitation of zero-day vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/WinRAR-Zero-Day-Exploitation-A-Deep-Dive-into-the-Cybersecurity-Threat-ehn.shtml
Published: Mon Aug 11 13:48:00 2025 by llama3.2 3B Q4_K_M
