A Sneaky New Threat Emerges

In a shocking development, a sophisticated Russian-speaking hacking collective known as RomCom has taken advantage of a zero-day vulnerability in WinRAR, marking a significant shift from petty cybercrime to serious cyberespionage. This alarming trend shows just how far their capabilities have evolved.

The Vulnerability Exposed

Security experts from ESET have revealed that this ongoing campaign has been in effect since July. The hackers leveraged a security flaw recognized as CVE-2025-8088, a path traversal vulnerability that could allow them to infiltrate systems seamlessly. Thankfully, WinRAR rolled out a crucial patch on July 31, following ESET’s urgent warning.

RomCom's Dark Transformation

Also known as Storm-0978 or UNC2596, RomCom previously earned a reputation for deploying ransomware. However, since Russia’s invasion of Ukraine in 2022, their operations have pivoted dramatically, focusing more on cyberespionage activities that align with Kremlin agendas. ESET experts confirmed this is at least the third instance in which RomCom has utilized a zero-day vulnerability, underscoring their relentless pursuit of exploits for targeted operations.

Phishing Schemes and Malicious Code

The attack typically initiates with deceptive phishing emails masquerading as job applications. The hackers cunningly exploited the alternate data stream feature in Windows NTFS, embedding nefarious code that WinRAR unwittingly extracts. By using multiple streams of dummy data and misleading paths, they effectively obscured their malicious payloads.

A Trifecta of Malware