A recently uncovered vulnerability in WinRAR, tracked as CVE-2025-8088, has been actively exploited by the Russia-aligned cybercriminal group RomCom, also known as Storm-0978, Tropical Scorpius, or UNC2596.

According to research published by ESET, the flaw allows attackers to hide malicious files within seemingly harmless archive files. Once extracted, these hidden files are silently deployed, enabling unauthorized code execution and persistence on the targeted system.

A security patch addressing this vulnerability was released on July 30, 2025. All WinRAR users are strongly urged to update immediately to prevent potential compromise.

How the Exploit Works

The vulnerability is a path traversal flaw leveraging alternate data streams and affecting several WinRAR components, including:

• Windows command-line utilities
• UnRAR.dll
• The portable UnRAR source code

By crafting malicious archives, attackers embed harmful DLL and LNK files disguised within legitimate-looking RAR packages. Upon extraction, these files are deployed to system directories, granting the attacker persistent access and remote code execution capabilities.

Between July 18 and 21, 2025, RomCom launched a spear-phishing campaign targeting financial, manufacturing, defense, and logistics organizations in Europe and Canada. The phishing emails posed as job applications and contained infected RAR attachments. Fortunately, ESET reported no confirmed compromises during this specific campaign.

Three Attack Chains Identified

ESET researchers documented three distinct methods used in this exploitation:

1. Mythic Agent – Leveraged COM hijacking to execute a malicious DLL, which decrypted and ran shellcode connected to a command-and-control (C2) server.
2. SnipBot Variant – Delivered through a modified PuTTY CAC executable that executed only if the target system showed signs of real-world activity, such as a large number of recently opened files.
3. MeltingClaw (RustyClaw) – A Rust-based downloader designed to fetch additional malicious payloads from remote servers.

All three attack chains employed hardcoded domain checks and anti-analysis techniques to evade detection in sandbox or test environments.

A Consistent Pattern of Zero-Day Exploits

RomCom is no stranger to exploiting previously unknown vulnerabilities:

• June 2023 – Exploited CVE-2023-36884 in Microsoft Word.
• October 2024 – Combined multiple vulnerabilities, including CVE-2024-9680 in Firefox, to deliver custom backdoors.

The group is known for engaging in both financially driven cyberattacks and targeted espionage campaigns.

ESET also noted that another, still unidentified, threat actor began exploiting CVE-2025-8088 shortly after RomCom’s activity. The **rapid patch release by the WinRAR development team—just one day after disclosure—**was critical in limiting potential widespread exploitation.

Mitigation Recommendations

Cybersecurity experts emphasize that updating WinRAR and all related components immediately is the most effective way to mitigate this risk. Organizations should also:

• Monitor for unusual archive extraction activity.
• Implement advanced phishing detection and filtering.
• Deploy endpoint protection with behavioral analysis capabilities.

Given RomCom’s track record and the involvement of other threat actors, timely patch management remains a vital defense strategy against emerging zero-day exploits.

Source: https://www.infosecurity-magazine.com/news/winrar-zero-day-exploited-romcom