WinRAR Zero-Day Vulnerability Exploited by RomCom Hackers in Targeted Cyber Attacks

ESET researchers have identified a previously unknown vulnerability in WinRAR, which has been exploited in the wild by the Russia-aligned group RomCom. Users of WinRAR and its related components, including the Windows versions of its command line tools, UnRAR.dll, or the portable UnRAR source code, are urged to update to the latest release immediately. ESET telemetry indicates that malicious archives were employed in spearphishing campaigns from July 18 to July 21, 2025, targeting financial, manufacturing, defence, and logistics companies across Europe and Canada. The primary objective of these attacks was cyberespionage, marking at least the third instance of RomCom exploiting a significant zero-day vulnerability in the wild.

On July 18, ESET observed a malicious DLL named msedge.dll within a RAR archive that contained unusual paths. Further analysis revealed that the attackers were exploiting a previously unknown vulnerability affecting WinRAR, including the then-current version 7.12. ESET contacted the developer of WinRAR on July 24, and the vulnerability was promptly addressed in a beta version, with a full release following shortly thereafter. The vulnerability, designated CVE-2025-8088, is a path traversal flaw enabled by the use of alternate data streams. The attackers disguised the malicious archive as an application document, using it to exploit the path traversal vulnerability. ESET noted that none of the targets were actually compromised, but the attackers had clearly conducted thorough research, carefully selecting and profiling their victims. When the exploit was successful, it deployed backdoors associated with the RomCom group, including variants such as SnipBot, RustyClaw, and the Mythic agent. Researchers attribute these activities to RomCom with high confidence, based on the targeted region, tactics, techniques, and procedures (TTPs), as well as the malware utilised. RomCom, also known as Storm-0978, Tropical Scorpius, or UNC2596, is a Russia-aligned group that engages in both opportunistic campaigns against selected business sectors and targeted espionage operations. The group’s focus has evolved to include intelligence-gathering espionage operations alongside its more traditional cybercrime activities. The backdoor employed by the group is capable of executing commands and downloading additional modules onto the victim’s machine. This is not the first instance of RomCom using exploits to compromise its targets; in June 2023, the group conducted a spearphishing campaign aimed at defence and governmental entities in Europe, using lures related to the Ukrainian World Congress. By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has demonstrated a willingness to invest significant effort into their cyber operations. 

Categories: Cybersecurity, Vulnerabilities, Cyberespionage 

Tags: Vulnerability, WinRAR, RomCom, Cyberespionage, Spearphishing, Path Traversal, Malicious Archive, Backdoor, Zero-Day, Malware