A newly discovered vulnerability in WinRAR has been exploited in the wild by the Russia-aligned cyber group RomCom.
According to an advisory published by ESET researchers earlier today, the flaw, tracked as CVE-2025-8088, allows attackers to conceal malicious files in an archive that are silently deployed during extraction.
A patch was released on July 30 2025, and users are urged to upgrade immediately.
How the Attack Works
The path traversal vulnerability, enabled through alternate data streams, affects multiple components, including WinRAR’s Windows command-line utilities, UnRAR.dll and the portable UnRAR source code.
By crafting archives to appear harmless, attackers hide malicious DLLs and LNK files that are deployed to system directories, enabling persistence and code execution.
Between July 18 and 21, RomCom used spear-phishing emails to target financial, manufacturing, defense and logistics firms in Europe and Canada. The emails carried job application lures with RAR file attachments.
According to ESET, no successful compromises were observed during this campaign.
Read more on advanced persistent threat tactics: Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers
The security researchers identified three distinct attack chains:
-
Mythic agent: Used COM hijacking to execute a malicious DLL, which then decrypted and ran shellcode linked to a command-and-control (C2) server
-
SnipBot variant: Delivered via a modified PuTTY CAC executable that only ran if the system showed signs of real-world use, such as a high number of recently opened documents
-
MeltingClaw (RustyClaw): A downloader written in Rust that retrieved additional payloads from remote servers
Each chain leveraged hardcoded domain checks or anti-analysis techniques to avoid detection in test environments.
A Pattern of Zero-Day Exploits
RomCom, also known as Storm-0978, Tropical Scorpius or UNC2596, has a history of exploiting previously unknown vulnerabilities.
In June 2023, it abused CVE-2023-36884 in Microsoft Word, and in October 2024, it chained two vulnerabilities, including CVE-2024-9680 in Firefox, to deliver backdoors. The group engages in both financially motivated attacks and targeted espionage.
ESET noted that another unidentified threat actor began exploiting CVE-2025-8088 shortly after RomCom. The speed of the WinRAR team’s patch release, just one day after being informed, was highlighted as critical in reducing exposure.
Security experts recommend immediate updates to WinRAR and related components to mitigate the risk from this flaw.
