Two high-severity WinRAR vulnerabilities, CVE-2025-6218 and CVE-2025-8088, allow attackers to write files outside the intended extraction directory and hide payloads using NTFS Alternate Data Streams, enabling stealthy persistence and remote code execution with minimal user interaction. Exploitation has been observed in the wild by threat actors RomCom and Paper Werewolf (GOFFEE), and patches are available in WinRAR 7.12 Beta 1 / 12 and version 13 respectively. #CVE-2025-6218 #CVE-2025-8088 #RomCom #PaperWerewolf
Keypoints
- Two distinct vulnerabilities (CVE-2025-6218 and CVE-2025-8088) permit directory traversal during archive extraction in WinRAR, allowing files to be written outside the target extraction folder.
- CVE-2025-6218 exploits classic ‘../’ path traversal; CVE-2025-8088 leverages NTFS ADS syntax (“:” in filenames) to hide payloads in alternate data streams.
- Both issues affect WinRAR for Windows builds (GUI/CLI), UnRAR/UnRAR.dll, and portable UnRAR; fixes are in 7.12 Beta 1/12 and version 13 respectively.
- Observed exploitation in the wild: RomCom used CVE-2025-8088 in spear-phishing campaigns; Paper Werewolf has leveraged similar traversal techniques.
- Impact includes stealthy persistence via Startup folder autorun and staging of payloads in ADS, enabling later execution or side-loading with minimal user action.
- IOCs include multiple malicious SHA-256 hashes, Startup folder writes, ADS filenames (e.g., txt: payload.exe), process spawning after extraction, and Sysmon Event ID 15 for ADS creation.
- Recommended defenses: immediate patching to the fixed versions, verify installer signatures, hunt for ADS and unexpected Startup folder files, and monitor HKCU Run keys and Sysmon ADS events.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used post-extraction when UnRAR.exe or dropped binaries spawn cmd.exe or powershell.exe to execute payloads (“exe / UnRAR.exe spawning processes (cmd.exe, powershell.exe) post-extraction”).
- [T1204] User Execution – Exploitation relies on a user extracting a malicious archive (“Deliver Archive: Sent via email, instant messaging, or malicious download links.” translated quote: “Victim Extraction: User extracts with vulnerable WinRAR/UnRAR.”).
- [T1547.001] Registry Run Keys / Startup Folder – Persistence via files placed in the Startup folder that auto-execute on login (“ExamplePayloadPath: ……UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmalicious.exe” translated quote: “File lands in Startup folder → auto-executes on login under user privileges.”).
- [T1564.004] NTFS File Attributes (ADS) – Abuse of NTFS Alternate Data Streams to hide payloads inside ADS (example: “……UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupreadme.txt: malicious.exe” translated quote: “The payload of a benign-looking file in the Startup folder is stored in ADS.”).
- [T1027] Obfuscated Files or Information – ADS and hidden payloads reduce visibility and evade detection (“ADS hides the malicious binary from casual inspection and some legacy security tools, delaying detection.”).
Indicators of Compromise
- [File Hashes] Malicious sample hashes – 49023b86fde4430faf22b9c39e921541e20224c47fa46ff473f880d5ae5bc1f1 (Bat.Trojan.49857.GC), a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa (Lnk.Trojan.49856.GC), and other hashes (e.g., 4da20b8b… and 8082956a…).
- [File/Path Patterns] Startup folder writes – %APPDATA%MicrosoftWindowsStart MenuProgramsStartup*.exe (observed as destination for dropped payloads).
- [Filename Patterns / ADS] Presence of ADS in filenames – examples: “txt: payload.exe” and “…..readme.txt: malicious.exe” indicating alternate data stream usage.
- [Processes / Behavior] Post-extraction process spawning – UnRAR.exe or extracted exe spawning cmd.exe or powershell.exe (observed behavior following extraction).
- [Event / Registry] ADS creation and autorun indicators – Sysmon Event ID 15 for ADS creation; unexpected Startup files and monitor HKCUSoftwareMicrosoftWindowsCurrentVersionRun for related changes.