A newly uncovered vulnerability in WinRAR has sparked alarm as it is being actively exploited by the notorious Russia-aligned hacker group, RomCom. This zero-day flaw, identified as CVE-2025-8088, enables cybercriminals to hide malicious files within seemingly harmless archives, allowing them to execute malicious activities during extraction.

ESET researchers released an urgent advisory, emphasizing the importance of upgrading WinRAR to the latest version, as a patch became available on July 30, 2025. Users are strongly advised to act quickly to protect their systems.

Understanding the Attack Mechanism

The vulnerability takes advantage of a path traversal flaw through alternate data streams, impacting various components such as WinRAR’s Windows command-line utilities and the UnRAR.dll library. By cleverly manipulating archive files, attackers can embed malicious DLLs and LNK files that are stealthily deployed into system directories, ensuring persistence and execution of their code.

RomCom's Targeted Campaign

Between July 18 and 21, RomCom executed a targeted campaign using spear-phishing emails aimed at sectors including finance, manufacturing, defense, and logistics in Europe and Canada. These deceptive emails enticed recipients with job applications that contained RAR file attachments. Thankfully, ESET reported that no successful breaches were detected during this operation.

Sophisticated Attack Chains Revealed

Security researchers have dissected three unique attack chains utilized by RomCom:

1. **Mythic Agent**: Employed COM hijacking to run a malicious DLL that decrypted and executed shellcode linked to a command-and-control (C2) server.

2. **SnipBot Variant**: Delivered through a modified PuTTY CAC executable, which only activated if the system showed genuine usage—such as a significant number of recently opened documents.

3. **MeltingClaw (RustyClaw)**: A downloader written in Rust that fetched additional malicious payloads from remote servers.

Each of these chains incorporated hardcoded domain checks and anti-analysis methods to evade detection during testing.

A Growing Trend of Zero-Day Exploits

RomCom, also referred to by various names like Storm-0978 and Tropical Scorpius, has a troubling history of exploiting previously unknown vulnerabilities. In June 2023, they exploited CVE-2023-36884 in Microsoft Word, followed by a clever combination of two vulnerabilities, including CVE-2024-9680 in Firefox, to implant backdoors.

ESET also highlighted that another unnamed threat actor began leveraging CVE-2025-8088 shortly after RomCom. The rapid response from the WinRAR team, releasing a fix just one day after notification, is deemed crucial in minimizing potential damage.

Security experts are urging all users to promptly update WinRAR and any related components to guard against this critical vulnerability.