Attachment: WinRAR CVE-2025-8088 exploitation

Detects attempts to exploit CVE-2025-8088 via attached RAR files

Sublime rule (View on GitHub)

 1name: "Attachment: WinRAR CVE-2025-8088 exploitation"
 2description: |
 3    Detects attempts to exploit CVE-2025-8088 via attached RAR files
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound 
 8  and any(attachments, 
 9      // its a rar file
10      (
11          .content_type == "application/x-rar-compressed"
12          or .file_extension == "rar"
13          or .file_type == "rar"
14      )
15      // less than 10 meg
16      and .size < 10000000
17      // explode it
18      and any(file.explode(.), 
19          // contains a yara match
20          any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
21      )
22  )  
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Exploit"
27  - "Evasion"
28detection_methods:
29  - "Archive analysis"
30  - "File analysis"
31  - "YARA"
32id: "33b3a82b-0721-53b8-a5f2-d28e3d791b60"
to-top