A New Dimension in Cyber Warfare: Russian Hackers Evolve

In a shocking turn of events, a notorious Russian hacking group has been discovered exploiting a zero-day vulnerability in WinRAR, signaling a dramatic shift from mere cybercrime towards sophisticated cyberespionage tactics. Researchers at Eset have revealed that this campaign has been active since July, utilizing a flaw now recognized as CVE-2025-8088.

The Rise of RomCom: From Ransomware to Strategists

Known as RomCom, and also tracked under names like Storm-0978, Tropical Scorpius, and UNC2596, this group has transitioned from primarily deploying ransomware to conducting high-stakes espionage aligned with Kremlin interests since the onset of Russia’s invasion of Ukraine. This is at least the third instance of RomCom leveraging a zero-day vulnerability, underscoring their persistent focus on sophisticated and targeted cyberattacks.

Targeting Victims: Phishing and Payload Deployment

The attack begins with unsuspecting individuals receiving phishing emails disguised as job applications. Utilizing the Windows NTFS file system's alternate data stream, hackers embed harmful code that WinRAR unpacks automatically. These attackers cleverly use multiple streams filled with misleading data to conceal their malicious payloads.

Diverse Infection Methods: A Deep Dive Into Malware Chains

Researchers identified three separate infection chains, each deploying different strains of malware: 1. **Mythic Agent**: Through a sophisticated method called component object model hijacking, a DLL file is executed. This approach retrieves the domain name of the infected machine, ensuring that the attack is aimed specifically at high-value targets. Eset emphasized that such pre-attack reconnaissance indicates a highly targeted approach.

2. **SnipBot Variant**: In this scenario, a malicious LNK file triggers a modified version of PuTTY, a widely used secure shell terminal. The malware appears to be related to SnipBot, previously assessed by Unit 42 as connected to RomCom.

3. **RustyClaw and MeltingClaw**: Here, a malicious LNK file launches the RustyClaw downloader, which ultimately deploys another downloader connected to malware dubbed MeltingClaw, identified by Proofpoint as linked to RomCom.

Motives and Targets: A Geo-Political Play?

According to Eset, the campaign primarily targets sectors closely aligned with the interests of Russian-aligned Advanced Persistent Threat (APT) groups, indicating a deeper geopolitical agenda behind the operations. Additionally, another hacking collective, identified as Paper Werewolf and Goffee, is also exploiting the same WinRAR vulnerability to target companies within Russia itself.

As cyber warfare escalates and transforms, this incident serves as a wake-up call for organizations worldwide to bolster their cybersecurity measures against increasingly advanced threats.