RomCom Hackers Exploit WinRAR Zero-Day Vulnerability in Phishing Attacks

A recently fixed WinRAR vulnerability, tracked as CVE-2025-8088, was exploited as a zero-day in phishing attacks to install the RomCom malware. This flaw is a directory traversal vulnerability that was addressed in WinRAR version 7.13, allowing specially crafted archives to extract files into a path chosen by the attacker. According to the WinRAR 7.13 changelog, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll could be manipulated to use a path defined in a specially crafted archive instead of the user-specified path. Attackers can leverage this vulnerability to create archives that extract executables into autorun paths, such as the Windows Startup folder. Consequently, the executable will automatically run the next time a user logs in, enabling remote code execution.

The flaw was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, who noted that it was actively exploited in phishing attacks to deliver malware. Strýček informed BleepingComputer that ESET observed spearphishing emails containing RAR file attachments that exploited CVE-2025-8088 to install RomCom backdoors. RomCom, also known as Storm-0978, Tropical Scorpius, or UNC2596, is a Russian hacking group associated with ransomware and data-theft extortion attacks. This group is notorious for employing zero-day vulnerabilities and custom malware for data theft, persistence, and backdoor access. ESET is currently preparing a report on the exploitation, which will be released at a later date. 

Categories: Vulnerability Exploitation, Malware Distribution, Cybersecurity Threats 

Tags: WinRAR, CVE-2025-8088, Vulnerability, Directory Traversal, RomCom, Malware, Phishing, Remote Code Execution, Ransomware, Zero-Day