文章总结： RomCom团伙2025年利用WinRARCVE-2025-8088路径穿越漏洞攻击Forela医院研究员Susan，伪装为Pathology-Department-Research-Records.rar，2025-09-0208:13:50落地、08:14:04被打开，释放诱饵Genotyping_Results_B57_Positive.pdf并投递后门与启动目录LNK实现持久化，需立即封禁IOC并全网排查同类RAR利用痕迹 综合评分： 88 文章分类： 漏洞分析,威胁情报,应急响应,恶意软件,漏洞预警

RomCom

原创

漫路修行

微痕鉴远

2026年1月5日 13:35 广东

Susan works at the Research Lab in Forela International Hospital. A Microsoft Defender alert was received from her computer, and she also mentioned that while extracting a document from the received file, she received tons of errors, but the document opened just fine. According to the latest threat intel feeds, WinRAR is being exploited in the wild to gain initial access into networks, and WinRAR is one of the Software programs the staff uses. You are a threat intelligence analyst with some background in DFIR. You have been provided a lightweight triage image to kick off the investigation while the SOC team sweeps the environment to find other attack indicators.

What is the CVE assigned to the WinRAR vulnerability exploited by the RomCom threat group in 2025?

CVE-2025-8088

What is the nature of this vulnerability?

Path Traversal

What is the name of the archive file under Susan’s documents folder that exploits the vulnerability upon opening the archive file?

Pathology-Department-Research-Records.rar

When was the archive file created on the disk?

2025-09-02 08:13:50

When was the archive file opened?

2025-09-02 08:14:04

What is the name of the decoy document extracted from the archive file, meant to appear legitimate and distract the user?

Genotyping_Results_B57_Positive.pdf

What is the name and path of the actual backdoor executable dropped by the archive file?

由于利用这个CVE可以实现目录穿越，所以我并不知道这个文件存放到哪里。对于这一问的思路，我以前面rar文件打开的时间为入手：

2025-09-02 08:14:04 从这个时间出来第一个看到的exe：

当然题目也提示是可执行文件。

The exploit also drops a file to facilitate the persistence and execution of the backdoor. What is the path and name of this file?

上一问同样逻辑

发现一个快捷方式可疑。

What is the associated MITRE Technique ID discussed in the previous question?

When was the decoy document opened by the end user, thinking it to be a legitimate document?

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：微痕鉴远 漫路修行《RomCom》