"Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams ( ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart."
"ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware. It's worth noting that Google is tracking the threat cluster behind the deployment of Cuba Ransomware under the moniker UNC2596."
Multiple nation-state and financially motivated threat actors exploit a patched WinRAR path traversal vulnerability, CVE-2025-8088 (CVSS 8.8), to gain initial access and execute arbitrary code. The flaw, fixed in WinRAR 7.13 on July 30, 2025, allows specially crafted archives to drop files into the Windows Startup folder and achieve persistence. ESET observed RomCom (aka CIGAR/UNC4895) abusing the bug as a zero-day to deliver SnipBot/NESTPACKER in mid-July 2025. Attack chains commonly hide LNK payloads in alternate data streams of decoy files so the payload extracts to Startup and runs on user login or restart. Multiple Russian-linked clusters and UNC2596 have joined widespread exploitation efforts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]