Path transversal vulnerabilities (CVE-2025-8088) in the popular compression tool WinRAR first disclosed in July 2025 are reportedly being abused by suspected nation state threat actors in order to deploy malware.

The original vulnerability abuses a lesser known feature of the NTFS file system, the primary file system for windows, called Alternate Data Streams (ADS).

By using a colon in a file path, a user of an NTFS file system can have multiple files with the same path. ADSs can also point to other files on the file system, which is how this vulnerability is exploited.

The threat actor "RomCom" has been observed abusing this vulnerability to place malicious DLL files on target machines.

When a specially crafted malicious archive is decompressed, the archive appears to contain a single document file, often a CV. However the archive also contains a list of ADS files which point to other locations on the host's file system, including APPDATA/Local/Temp. This is a common location for malware to be created on a Windows operating system.

Decompression creates two files, an LNK and a malicious DLL. The LNK file, executed on system start, replaces the another, legitimate DLL by overwriting a registry key, in a technique called COM hijacking. 

The malicious DLL is then loaded by Microsoft Edge, and the DLL connects to a malicious Command and Control channel:

srlaptop[.]com

Detection of this activity should look at the creations of LNK files in unusual locations by the WinRAR software, and modifications to the registry that may be considered COM Hijacking activity. The loading of unknown DLLs by common software should also identify when COM Hijacking has occurred. 

All traffic to known command and control channels should be blocked immediately and an incident response investigation triggered. 

Generally, unknown and untrusted archive files should not be opened. The use of a RAR file in this instance is somewhat suspicious. Opt instead to use document sharing software such as OneDrive or Google Docs. This is true of those regularly accessing unknown files, such as recruiters.

To mitigate the risk of this vulnerability where WinRAR is in use, the product should be updated.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.