The notorious Russia-aligned hacking group RomCom has been exploiting a zero-day vulnerability in WinRAR, a popular file compression tool, to launch highly targeted cyber-espionage campaigns against financial, manufacturing, defense, and logistics companies in Europe and Canada. The vulnerability, tracked as CVE-2025-8088, is a path traversal flaw that allows attackers to hide malicious files within a seemingly harmless archive. When a user extracts the files, the malware is silently deployed to system directories, enabling the hackers to execute code and maintain persistence on the victim’s machine.
The attacks rely on spear-phishing emails that lure targets with attachments disguised as legitimate documents, such as job applications. These attachments are specially crafted RAR files that exploit the zero-day vulnerability. According to researchers at cybersecurity firm ESET, the flaw leverages a feature of Windows called Alternate Data Streams to embed malicious payloads without the user’s knowledge. While WinRAR does display warnings about invalid file paths during extraction, the attackers intentionally include multiple benign-looking errors to obscure the single, critical malicious entry. This allows the hackers to drop malware, including backdoors like SnipBot, RustyClaw, and the Mythic agent, into sensitive locations like the Windows Startup folder. Once there, the malware can execute automatically on a system reboot, giving the attackers a foothold in the network.
The use of a zero-day in WinRAR is consistent with RomCom’s history. The group, also known as Storm-0978, has a reputation for rapidly incorporating newly discovered vulnerabilities into its operations. Previously, the group has exploited zero-day flaws in Microsoft Word and Firefox to deliver backdoors. This latest campaign shows that RomCom continues to invest significant resources in finding and weaponizing new vulnerabilities for both financially motivated and espionage-focused attacks.
WinRAR’s developer, RARLAB, was notified of the flaw by ESET and quickly released a patch to address the vulnerability. The fix is included in WinRAR version 7.13, which was made available on July 30. However, because WinRAR lacks an automatic update feature, it’s up to individual users to download and install the latest version to protect themselves. Given the widespread use of WinRAR and the sophistication of the attackers, cybersecurity experts are urging all users, particularly those in the targeted sectors, to update their software immediately.
