A new zero-day vulnerability in WinRAR (CVE-2025-8088) is being exploited in the wild by the Russia-aligned hacking group RomCom, according to newly published research from ESET. The flaw, silently targeting global enterprises, shows the group’s increasing sophistication and its growing use of supply-chain-style exploits in spear-phishing campaigns.
What’s the Vulnerability?
First reported by ESET researchers on July 18, the vulnerability is a path traversal exploit leveraging Windows alternate data streams (ADSes) to conceal malicious files inside a seemingly benign RAR archive. When users extract what appears to be a harmless job application or document, the malicious payload is silently deployed—without raising suspicion unless closely inspected.
Within days, WinRAR patched the vulnerability—first issuing a beta fix and rolling out a full update by July 30.
RomCom’s Exploitation Playbook
The affected years-long APT group RomCom (also tracked as Storm-0978, UNC2596, or Tropical Scorpius) has now exploited a third major zero-day in recent years, adding to its previous abuses of CVE-2023-36884 (via Microsoft Word) and the Firefox–Windows zero-click chain (CVE-2024-9680 and CVE-2024-49039).
This campaign targeted financial, manufacturing, defense, and logistics firms across Europe and Canada—industries consistent with RomCom’s known intelligence and geopolitical objectives.
Security teams should note that the malicious archive contained ADS entries with nested paths to drop a DLL into %TEMP% and a .LNK file into the Windows Startup folder—achieving persistence via a COM hijack.
Why it Matters
WinRAR is ubiquitous. Its prevalence makes this exploit especially dangerous—malicious archives can spread far and wide and be executed by unsuspecting users.
-
Attack efficiency: Targeted spear-phishing with plausible resumes increases click-through rates—especially when the lure aligns with hiring or recruitment.
-
Stealth delivery: ADS utilization skirts casual detection; deceptions in UI (WinRAR hides deep file paths unless scrolled) amplify the risk.
-
Resourceful OPSEC: Rapid patching by WinRAR and quick discovery by ESET signal high technical capability on both sides.
Together, these factors make RomCom’s campaign notably potent.
Immediate Takeaways and Mitigations
-
Update WinRAR Immediately: All users of WinRAR, its
UnRAR.dll, command-line tools, and source code should upgrade to versions ≥ 7.13. -
Monitor Archive Extraction Behavior: Deploy behavioral controls or sandboxing around archive extraction processes.
-
Scrutinize Job-Related Attachments: HR and hiring processes are increasingly weaponized. Implement attachment scanning and out-of-band validation for unsolicited applicant documents.
-
Share Intelligence: RomCom’s prominence and zero-day use should be a shared red flag in the CISO and threat-intel communities.
RomCom’s Escalating Zero-Day Strategy
This campaign confirms that RomCom has made zero-days a core part of its operational archetype—bridging cybercrime and espionage tactics with precision. Their ability to weaponize WinRAR’s ADS feature for stealthy deployment elevates the threat level considerably.
For defenders, the key isn’t merely patching—but also detecting phishing-at-scale, scanning compressed content dynamically, and educating users about hidden payload risks.
RomCom’s latest move demonstrates that even everyday utilities can become stealthy vectors for nation-linked espionage. The race to catch invisible exploits—and the groups behind them—is escalating fast.
Source: Read More