Pegasos24/7 Threat Labs Advisory

Executive Summary

CVE-2025-8088, publicly disclosed and colloquially named "WinRAR ADS Escape," is a high-severity path traversal vulnerability affecting RARLAB WinRAR, RAR, UnRAR, and UnRAR.dll for Windows in versions 7.12 and earlier. Classified under CWE-35 (Path Traversal), the vulnerability permits a remote, unauthenticated attacker to achieve arbitrary code execution by crafting a malicious RAR archive containing filenames that abuse NTFS Alternate Data Stream (ADS) syntax to escape the intended extraction directory and write payloads to attacker-controlled locations, most commonly the Windows Startup folder for persistence. Discovered by ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek on 18 July 2025 during active zero-day exploitation, and patched in WinRAR 7.13 on 30 July 2025, the flaw carries a CVSS v3.1 score of 8.8 (High) per NIST and a CVSS v4.0 score of 8.4 (High) per ESET.

Exploitation is active in the wild and expanding. At least eight distinct threat groups, including UNC4895/RomCom, APT44/Sandworm, TEMP.Armageddon/Gamaredon, Turla, Paper Werewolf, China-linked actors deploying POISONIVY, a separate China-nexus actor codenamed Autumn Dragon, and multiple financially motivated operators have weaponized this vulnerability across campaigns spanning Eastern Europe, Southeast Asia, Latin America, and beyond. CISA added CVE-2025-8088 to the Known Exploited Vulnerabilities (KEV) catalog on 12 August 2025 with a federal remediation deadline of 2 September 2025. The exploit was advertised on the Russian-language dark web forum Exploit.in by broker "zeroplayer" for $80,000 on 7 July 2025 (eleven days before ESET observed the first in-the-wild exploitation) demonstrating a commoditized exploit supply chain feeding both state-sponsored and financially motivated actors.

With over 500 million WinRAR users globally, no automatic update mechanism, and a downstream supply chain extending through UnRAR.dll embedded in products including Google Chromium, Calibre, and PowerISO, the patching gap remains significant. The historical precedent of CVE-2023-38831 (2023 WinRAR zero-day) demonstrates that months-long patch adoption gaps are the norm for this software, making this a high-priority remediation target.

The Vulnerability

CVE-2025-8088 is classified under CWE-35 (Path Traversal: '.../.../') and represents a direct bypass of the incomplete fix for the companion vulnerability CVE-2025-6218 (CVSS 7.8), which was patched in WinRAR 7.12 in June 2025. While CVE-2025-6218 addressed standard directory traversal sequences in filenames, the fix left the ADS code path unprotected creating an immediate adjacent bypass vector.

Technical Details

• Root Cause: WinRAR's extraction engine validates filenames for standard path traversal sequences (../, ..\) but does not strip or reject the colon character (:) used in NTFS ADS syntax, nor does it sanitize the stream name portion following the colon for traversal characters. This is a direct bypass of the CVE-2025-6218 fix.

• Attack Vector: The attacker delivers a specially crafted RAR archive via spearphishing email, web download, or file transfer. The archive contains entries using ADS syntax to traverse directories. When extracted, the malicious payload is written to an attacker-controlled path — most commonly %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ for auto-execution on next login. Observed lure themes include medical records, CVs/resumes, job documents, military recruitment, drone operations, and geopolitical lures.

• Impact: Successful exploitation results in arbitrary file write, leading to remote code execution. Attackers have deployed backdoors (NESTPACKER/SnipBot, RustyClaw/MeltingClaw, STOCKSTAY, POISONIVY, Mythic agent), established C2 channels, harvested credentials, and exfiltrated data. TEMP.Armageddon deployed GamaWiper (a destructive wiper) marking this group's first observed destructive operation.

• Three Execution Chains (RomCom):

  • Chain 1 ( Mythic Agent): Updater.lnk adds msedge.dll to COM hijack registry. Decrypts AES shellcode; executes only if domain matches hardcoded value. C2: srlaptop[.]com

  • Chain 2 (SnipBot): Modified PuTTY CAC fork (ApbxHelper.exe) decrypts shellcode using filename as key. Anti-sandbox: requires 69+ recent documents. C2: campanole[.]com

  • Chain 3 (RustyClaw/MeltingClaw): Rust-based downloader (Complaint.exe) with invalid certificate fetches install_module_x64.dll. C2: melamorri[.]com

    
    

Affected Software and Version

• WinRAR 7.1x — Affected through 7.12; patched in 7.13 (released 30 July 2025)

• WinRAR 7.0x — All versions affected; upgrade to 7.13 required

• WinRAR 6.x — All versions affected; upgrade to 7.13 required

• WinRAR 5.x and earlier — All versions affected; no patches available (end-of-life); upgrade to 7.13 required

• RAR and UnRAR command-line tools (Windows) — Affected through 7.12; upgrade to 7.13 required

• UnRAR.dll — Affected; upgrade to 7.13 required

• Portable UnRAR source code (Windows builds) — Affected; rebuild from 7.13 source required

Not Affected: Linux/Unix builds, RAR for Android.

Supply-Chain Risk

Threat Intelligence

Threat Actors

Exploit Supply Chain

The underground exploit broker "zeroplayer" advertised the CVE-2025-8088 WinRAR RCE zero-day on the Russian-language dark web forum Exploit.in on 7 July 2025 for $80,000 eleven days before ESET observed the first wild exploitation. Paper Werewolf is suspected of purchasing the exploit based on timeline analysis by BI.ZONE.

Victimology & Targeting

Primary targets include Ukrainian military and government entities, NATO-aligned defense contractors, critical infrastructure operators, telecommunications providers, diplomatic entities, and financial institutions. Geographic concentration centers on Ukraine, Eastern Europe, NATO member states, and Southeast Asia. Financial campaigns extend globally, targeting hospitality (LATAM), banking (Brazil), and general users (Indonesia).

MITRE ATT&CK Alignment

Exploitation Indicators & IOCs

Network Indicators

• Outbound HTTPS connections to the following C2 domains: srlaptop[.]com, campanole[.]com, melamorri[.]com, gohazeldale[.]com, public.megadatacloud[.]com

• HTTP/HTTPS callbacks to non-standard ports from processes spawned by WinRAR child processes

• DNS queries for newly registered or low-reputation domains immediately following archive extraction events

• Telegram Bot API C2 communication (financially motivated Indonesian campaign)

Log Indicators

• WinRAR process (winrar.exe or unrar.exe) writing files outside the specified extraction directory

• File creation events in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ correlated with archive extraction

• Sysmon Event ID 15 (FileCreateStreamHash) indicating creation of NTFS Alternate Data Streams

• Sysmon Event ID 11 (FileCreate) for files written to Startup folder by WinRAR processes

• Sysmon Event ID 13 (RegistryEvent) for COM hijack registry modifications (Mythic chain)

• Sysmon Event ID 1 (Process Creation) for execution from ADS or from Startup folder

• Presence of msedge.dll in non-standard locations (Mythic agent DLL sideloading)

Detection Rules

YARA

• EXPL_RAR_Archive_with_Path_Traversal_Aug25 - Nextron Systems (Arnim Rupp), published 2025-08-11. Available at github.com/Neo23x0/signature-base

• WinRAR_DirectoryTraversal - Generic rule for ..\..\..\AppData\...\Startup within archives

Sigma / SIEM

• Splunk: Windows Alternate DataStream - Process Execution (ID: 30c32c5c) and Windows Alternate DataStream - Executable Content (ID: a258bf2a)

• Elastic: Unusual Process Execution Path - Alternate Data Stream

Custom Rule Logic

• Alert on Sysmon Event ID 15 where TargetFilename contains : AND parent process is winrar.exe or unrar.exe

• Alert on file creation in Startup directories where parent process chain includes archive utilities

Threat Landscape and Observed Exploitation

Exploitation of CVE-2025-8088 has been confirmed in the wild since 18 July 2025, when ESET researchers observed UNC4895/RomCom conducting a zero-day spearphishing campaign against financial, manufacturing, defense, and logistics companies in Europe and Canada. ESET contacted RARLAB on 24 July 2025; a fix was developed within 24 hours, and WinRAR 7.13 was released publicly on 30 July 2025. CISA added the vulnerability to the KEV catalog on 12 August 2025, with a federal remediation deadline of 2 September 2025.

The exploit was commercially available before the first observed exploitation. The dark web broker "zeroplayer" advertised it on Exploit.in on 7 July 2025 for $80,000, indicating the vulnerability was known in underground markets at least 11 days before ESET's first detection. By Q4 2025, at least eight distinct threat groups had independently incorporated the exploit. Notably, TEMP.Armageddon/Gamaredon deployed GamaWiper via CVE-2025-8088 in November 2025, marking the group's first observed destructive operation (reported by ClearSky, 30 November 2025).

WinRAR's install base exceeds 500 million users, with approximately $4.8 million in annual revenue, suggesting the vast majority are unlicensed trialware. The historical precedent of CVE-2023-38831 shows months-long patch adoption gaps. Google GTIG stated: "This is similar to the widespread exploitation of a known WinRAR bug in 2023, CVE-2023-38831, highlighting that exploits for known vulnerabilities can be highly effective, despite a patch being available."

Detection and Forensics

• Alternate Data Stream artifacts: Use dir /R, Sysinternals streams.exe -s, or PowerShell Get-Item -Stream * to enumerate ADS. Files written via ADS traversal are deposited as regular files at the traversal destination.

• Startup folder monitoring: Review %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ for unexpected .lnk, .hta, .bat, .cmd, .dll files. Specific filenames: Updater.lnk, Display Settings.lnk.

• Process chain analysis: Investigate trees where winrar.exe or unrar.exe spawns PowerShell, cmd.exe, mshta.exe, or unexpected executables.

• COM hijack detection: Monitor registry modifications to COM object CLSIDs following WinRAR execution (Sysmon Event ID 13).

• DLL sideloading: Hunt for obs-browser-page.exe, Creative Cloud Helper.exe loading DLLs from non-standard paths.

• Zone.Identifier forensics: Sysmon Event ID 15 captures HostUrl and ReferrerUrl. WinRAR 7.10+ defaults to "Zone value only" mode.

• Forensic tooling: Velociraptor, KAPE, X-Ways Forensics, FTK, The Sleuth Kit/Autopsy, MFTECmd.

• Sysmon: Ensure Event ID 15 (FileCreateStreamHash) is enabled. Sysmon v11.10+ captures ADS content when text and < 1KB.
  

Business Impact

Data Exposure and Espionage

Given the concentration of state-sponsored APT actors and their focus on government, defense, military, and critical infrastructure targets.

Full System Compromise

The path traversal leads to arbitrary file write with the user's privileges, resulting in backdoor deployment, credential harvesting, lateral movement, and data exfiltration.

CIA Triad Impact

• Confidentiality: Exfiltration of sensitive documents, credentials, email archives, strategic plans, intellectual property, browser cookies, and saved passwords.

• Integrity: Deployment of backdoors that modify system state, install additional malware, and manipulate security configurations. COM hijacking and DLL sideloading alter expected behavior. GamaWiper introduces data destruction risk.

• Availability: GamaWiper directly threatens availability. APT44/Sandworm has extensive history of wiper deployment (NotPetya, Olympic Destroyer, Ukrainian power grid attacks).

• Downstream Risk: Compromised endpoints serve as pivot points. Credential harvesting enables broader compromise. UnRAR.dll supply chain means applications beyond WinRAR may serve as vectors.

Mitigation and Response Actions

Immediate (Day 1)

1. Upgrade WinRAR to version 7.13 or later on all endpoints. Prioritize government, defense, critical infrastructure, telecommunications, finance.

2. Block archive file attachments (.rar, .zip, .7z) at email gateways or route through sandboxed detonation. Quarantine known lure filenames.

3. Deploy detection rules: Sysmon Event ID 15 and 11. Import YARA rule EXPL_RAR_Archive_with_Path_Traversal_Aug25. Block C2 domains.

4. If patching not immediately possible, disable ADS extraction via -OS switch or WinRAR.ini (SaveStreams=0), deployed read-only via GPO.

Short-Term (Days 2-7)

1. Audit WinRAR versions enterprise-wide via Intune, SCCM, Tanium, or ManageEngine; remediate below 7.13. Include portable/user-space installations.

2. Audit SBOM for UnRAR.dll: Check Chromium, Calibre, PowerISO and update to 7.13-era libraries.

3. Hunt for compromise: IOC hashes, C2 domains, Startup folder anomalies, msedge.dll in non-standard paths, COM hijack registry mods.

4. Review archive extraction logs for path traversal evidence.

5. Implement AppLocker/WDAC to restrict execution from user-writable directories.

Long-Term (Ongoing)

1. Evaluate WinRAR alternatives with auto-update (e.g., 7-Zip).

2. Implement EDR behavioral rules for archive utility behavior monitoring.

3. Establish patch management covering third-party utilities; maintain SBOM for UnRAR.dll dependencies.

4. User awareness training on archive-based initial access vectors.

5. Configure GPO: SRP or IFEO to block unpatched WinRAR; Startup folder ACL hardening.

   
   

DTG Recommendations

Restrict Exposure

• Block or quarantine inbound archive attachments from external sources at email gateway

• Implement web content filtering against drive-by downloads

• Enforce network segmentation

• Block known C2 domains and IPs at firewall and DNS

Apply Patches

• Upgrade all WinRAR to 7.13 or later immediately

• Use Intune/SCCM/GPO for centralized updates

• Audit and update UnRAR.dll dependencies

• Consider migration to archive utilities with auto-update

Monitor for Compromise

• Sysmon with ADS monitoring (Event ID 15) and Startup monitoring (Event ID 11)

• Import YARA and Sigma rules

• Splunk detection analytics for ADS

• Monitor C2 callbacks; scan for 13 IOC hashes

Incident Response

• Isolate affected endpoints; preserve forensic evidence including ADS artifacts

• Determine scope of access and data exposure

• Reset credentials; review auth logs for lateral movement

• If GamaWiper indicators present, assess data integrity and invoke backup restoration

Network Segmentation and Hardening

• Enforce least-privilege

• Application whitelisting (AppLocker/WDAC)

• Deploy EDR with behavioral analysis

• Harden WinRAR via WinRAR.ini (read-only, GPO-deployed) with SaveStreams=0

  
  

Call to Action and References

Call to Action

DTG’s Incident Response and Threat Management teams continue tracking this activity across monitored customer environments. Clients using DTG Wirespeed or Pegasos platforms can request an immediate authentication telemetry review or targeted compromise assessment through standard DTG support channels.

Don’t wait for an attack - reach out to DTG today to ensure your organization is protected.

References

1. ESET WeLiveSecurity -- "RomCom and others exploiting WinRAR zero-day" https://www.welivesecurity.com/en/eset-research/romcom-exploits-winrar-vulnerability/

2. ESET Newsroom -- "Russian RomCom group exploits new vulnerability" https://www.eset.com/int/about/newsroom/press-releases/research/romcom-exploits-winrar/

3. ESET Malware IOC Repository -- "RomCom indicators" https://github.com/eset/malware-ioc/tree/master/romcom

4. Google Cloud Threat Intelligence -- "Diverse Threat Actors Exploiting CVE-2025-8088" https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability

5. NIST NVD -- "CVE-2025-8088" https://nvd.nist.gov/vuln/detail/CVE-2025-8088

6. CISA KEV Catalog -- "CVE-2025-8088" https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8088

7. CISA Alert -- "Three Known Exploited Vulnerabilities Added" https://www.cisa.gov/news-events/alerts/2025/08/12/cisa-adds-three-known-exploited-vulnerabilities-catalog

8. RARLAB -- "WinRAR 7.13 Release Notes" https://www.win-rar.com/singlenewsview.html?&L=0

9. BleepingComputer -- "WinRAR path traversal flaw still exploited" https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/

10. BI.ZONE -- "Paper Werewolf / GOFFEE exploitation analysis" https://bi.zone/expertise/blog/paper-werewolf-exploits-winrar/

11. ClearSky -- "Gamaredon GamaWiper report" https://www.clearskysec.com/gamaredon-gamawiper/

12. Kaspersky Securelist -- "Q3 2025 Vulnerability Landscape" https://securelist.com/vulnerability-report-q3-2025/

13. SOCRadar -- "CVE-2025-8088 WinRAR Zero-Day Exploited" https://socradar.io/cve-2025-8088-winrar-zero-day/

14. Qualys -- "CVE-2025-8088: From Zero-Day to Zero Risk" https://blog.qualys.com/vulnerabilities-threat-research/cve-2025-8088

15. SOC Prime -- "Detect CVE-2025-8088 Exploitation" https://socprime.com/blog/detect-cve-2025-8088/

16. Nextron Systems -- "YARA rule for CVE-2025-8088" https://github.com/Neo23x0/signature-base/blob/master/yara/expl_rar_cve_2025_8088.yar

17. Splunk -- "Windows Alternate DataStream Detection" https://research.splunk.com/endpoint/windows_alternate_datastream/

18. Elastic -- "ADS Process Execution Detection Rule" https://www.elastic.co/guide/en/security/current/unusual-process-execution-path-alternate-data-stream.html

19. Seqrite -- "WinRAR Directory Traversal & ADS Vulnerabilities" https://www.seqrite.com/blog/winrar-directory-traversal-ads/

20. jmp-esp.org -- "WinRAR CVE-2025-8088 Technical Analysis" https://jmp-esp.org/winrar-cve-2025-8088/

21. Fidelis Security -- "CVE-2025-8088 Path Traversal Guide" https://fidelissecurity.com/vulnerabilities/cve-2025-8088/

22. Greenbone -- "WinRAR CVE-2025-8088 Exploited in Attacks" https://www.greenbone.net/en/blog/winrar-cve-2025-8088/

23. SecPod -- "WinRAR CVE-2025-8088 RomCom Analysis" https://www.secpod.com/blog/winrar-cve-2025-8088/

24. Help Net Security -- "WinRAR zero-day exploited by two groups" https://www.helpnetsecurity.com/2025/08/winrar-zero-day-exploited/

25. The Hacker News -- "WinRAR Zero-Day Under Active Exploitation" https://thehackernews.com/2025/08/winrar-zero-day-cve-2025-8088.html

26. The Record -- "Two groups exploit WinRAR flaws" https://therecord.media/winrar-zero-day-exploitation/

27. TechRepublic -- "RomCom & Paper Werewolf exploit WinRAR" https://www.techrepublic.com/article/winrar-zero-day/

28. Malwarebytes -- "WinRAR vulnerability exploited by two groups" https://www.malwarebytes.com/blog/news/2025/08/winrar-cve-2025-8088

29. NHS England Digital -- "Cyber Alert CC-4689" https://digital.nhs.uk/cyber-alerts/2025/cc-4689

30. CyberPress -- "Autumn Dragon APT DLL Sideloading" https://cyberpress.org/autumn-dragon-winrar/

31. Picus Security -- "RomCom Threat Actor Evolution" https://www.picussecurity.com/resource/blog/romcom-evolution

32. MITRE ATT&CK -- "Technique Reference" https://attack.mitre.org/