ESET researchers have unveiled a shocking zero-day vulnerability in WinRAR, currently being exploited by the notorious RomCom hacker group, backed by Russian interests. If you're among the millions using WinRAR or its components, especially the Windows command line tools or UnRAR, it’s vital that you urgently update to the latest version.

The Attack Unveiled: A Cyber Espionage Campaign!

Recent telemetry from ESET reveals that malicious archives were used in spearphishing campaigns from July 18 to July 21, 2025. These attacks strategically targeted high-profile sectors such as finance, manufacturing, defense, and logistics across Europe and Canada, with the malicious intent of cyberespionage.

Malicious DLL Discovered!

On July 18, ESET spotted a suspicious DLL named msedge.dll within a RAR archive that contained anomalous file paths—a red flag for security experts. Delving deeper, ESET discovered that this was no ordinary vulnerability. The attackers were exploiting a previously unknown flaw in WinRAR that affected even the then-current version 7.12. By July 24, WinRAR's developers were alerted, and within days, a fix was rolled out. Prompt action is essential—update your WinRAR now to stay protected!

How Did They Do It?

The attackers cleverly masked their malevolent archive as an innocuous application document, employing a path traversal vulnerability to execute their attack. The phishing emails bore the guise of a resume, luring unsuspecting victims to open them.

Targets Remain Uncompromised, But Risks Remain!

Fortunately, ESET reports that none of the targeted entities were compromised. However, the precision with which the attackers selected and profiled their victims indicates a high level of expertise. If the exploit was executed, it would have unleashed backdoors associated with RomCom, including variants like SnipBot, RustyClaw, and the Mythic agent.

Who is RomCom?

Operating under various aliases such as Storm-0978 or UNC2596, RomCom is a Russia-aligned group notorious for blending opportunistic cybercrime with focused espionage operations. This most recent attack underscores their evolving strategy, now emphasizing intelligence gathering alongside traditional cybercriminal activities.

Backdoor Capabilities: A Serious Threat!

The backdoor used by RomCom is capable of executing commands and downloading additional malicious modules onto exploited machines. This isn’t RomCom's first foray into cyber warfare; they previously launched a spearphishing campaign in June 2023 targeting defense and governmental organizations in Europe, leveraging themes related to the Ukrainian World Congress.

As the threat landscape evolves, ensuring your software is up to date is crucial—act now to secure your systems!