ESET Warns of Zero-Day in WinRAR Exploited by RomCom, Urges Immediate Update

ESET Warns of Zero-Day in WinRAR Exploited by RomCom, Urges Immediate Update

(IN BRIEF) ESET has discovered CVE-2025-8088, a zero-day path traversal vulnerability in WinRAR exploited by the Russia-aligned RomCom group in targeted spearphishing campaigns against organizations in Europe and Canada. The flaw, patched on July 30, 2025, was used to deliver malware including SnipBot, RustyClaw, and the Mythic agent. Although no victims were compromised, the attack demonstrated RomCom’s advanced capabilities and geopolitical targeting strategy. The vulnerability also impacted WinRAR command-line tools and the UnRAR library, making immediate updates essential for all users.

(PRESS RELEASE) BRATISLAVA, 11-Aug-2025 — /EuropaWire/ — ESET researchers have identified and reported a previously unknown zero-day vulnerability in WinRAR that was actively exploited by the Russia-aligned cyberespionage group RomCom. The flaw, now assigned CVE-2025-8088, is a path traversal vulnerability enabled through the use of alternate data streams. It has been patched in the latest WinRAR release issued on July 30, 2025, and all users are urged to update immediately.

ESET discovered the vulnerability while investigating a spearphishing campaign conducted between July 18 and July 21, 2025, which targeted financial, manufacturing, defense, and logistics companies in Europe and Canada. Malicious RAR archives, disguised as application documents, attempted to exploit the flaw to install various backdoors, including a SnipBot variant, RustyClaw, and the Mythic agent. While ESET telemetry indicates that no targets were compromised, the attack was highly targeted and preceded by detailed reconnaissance.

The initial discovery came on July 18 when ESET detected a malicious DLL, msedge.dll, inside an archive with suspicious file paths. Further analysis confirmed that the attackers were exploiting the vulnerability in WinRAR, including the then-current version 7.12. ESET researchers Peter Strýček and Anton Cherepanov promptly notified WinRAR’s developer, leading to a same-day fix in a beta version and a full patched release within days.

“This is at least the third time RomCom has exploited a significant zero-day in the wild,” said Peter Strýček. “By leveraging an unknown flaw in WinRAR, the group demonstrated a high level of technical capability and clear geopolitical intent, targeting sectors that align with the interests of Russian-aligned APT groups.”

RomCom, also tracked as Storm-0978, Tropical Scorpius, or UNC2596, is known for both opportunistic and targeted cyberespionage operations. Its malware toolkit can execute commands and download additional modules, enabling prolonged access to compromised systems. The group has a history of targeting defense, governmental, and strategic industries, including a 2023 campaign aimed at European defense entities using Ukrainian World Congress-themed lures.

The newly patched vulnerability affected not only the WinRAR application but also its Windows command-line utilities, UnRAR.dll, and the portable UnRAR source code. ESET advises all users of these components to update to the latest version without delay.

For an in-depth technical analysis of RomCom’s latest operations, visit ESET Research’s blogpost RomCom exploits a new vulnerability in the wild, this time in WinRAR at WeLiveSecurity.com.

Media Contact:

Tel: +421 (2) 322 44 111
Fax: +421 (2) 322 44 109
Web: www.eset.com/int

SOURCE: ESET