WinRAR zero-day exploited by RomCom hackers in targeted attacks

ESET researchers have discovered a previously unknown vulnerability in WinRAR, exploited in the wild by Russia-aligned group RomCom. If you use WinRAR or related components such as the Windows versions of its command line tools, UnRAR.dll, or the portable UnRAR source code, update right away to the latest release.

According to ESET telemetry, malicious archives were used in spearphishing campaigns between July 18 to July 21, 2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. The aim of the attacks was cyberespionage. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild.

“On July 18, we observed a malicious DLL named msedge.dll in a RAR archive containing unusual paths that caught our attention. Upon further analysis, we found that the attackers were exploiting a previously unknown vulnerability affecting WinRAR, including the then-current version 7.12. On July 24, we contacted the developer of WinRAR; the same day the vulnerability was fixed in beta version with a full version released few days later. We advise WinRAR users to install the latest version as soon as possible to mitigate the risk,” says ESET researcher Peter Strýček who made the discovery along with another ESET researcher Anton Cherepanov. The vulnerability, CVE-2025-8088, is a path traversal vulnerability, which is made possible via the use of alternate data streams.

The attackers disguised the malicious archive as an application document and used it to exploit a path traversal flaw. In their spearphishing emails, they sent what looked like a CV, hoping someone would take the bait and open it.

ESET says none of the targets were actually compromised, but the attackers had clearly done their homework, carefully selecting and profiling their victims. When the exploit worked, it deployed backdoors linked to the RomCom group, including a SnipBot variant, RustyClaw, and the Mythic agent.

Researchers attribute the observed activities to RomCom with high confidence based on the targeted region, TTPs, and the malware used. RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations.

The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine. It is not the first time that RomCom has used exploits to compromise its victims. In 2023-06, the group performed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to the Ukrainian World Congress.

“By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations. The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation,” concludes Strýček.