A zero-day vulnerability discovered in WinRAR, exploited by the pro-Russian group RomCom. The flaw, already fixed, allowed paths in archives to be manipulated to execute malicious code. The attacks aimed to install backdoors such as variants of SnipBot, RustyClaw, and the Mythic agent. It is recommended to update the software
Researchers of ESET, a global European leader in the cybersecurity market, have discovered an unknown vulnerability in WinRAR, exploited in real attacks by the pro-Russian group RomCom. According to ESET telemetry, malicious archives were used in spearphishing campaigns between July 18 and 21, 2025, targeting European and Canadian companies in the financial, manufacturing, defense and logistics sectors. The objective of the operations was cyber espionage. This is at least the third time RomCom has been caught exploiting a significant zero-day vulnerability.
"On July 18, we observed a malicious DLL named msedge.dll in a RAR archive with unusual paths that caught our attention. Analysis revealed that attackers were exploiting an unknown vulnerability affecting WinRAR, including the version in use at the time (7.12). On July 24, we notified the WinRAR developer, and on the same day, the vulnerability was patched in a beta, followed a few days later by a final version. We invite all users to install the latest release to reduce risks,” explains Peter Strýček, ESET researcher who made the discovery together with his colleague Anton Cherepanov. The vulnerability, CVE-2025-8088, is a path traversal made possible through the use of alternating data streams (ADS).
Malicious archives, disguised as application documents, exploited path traversal flow to compromise systems. In the spearphishing emails, the attackers attached a supposed CV, leveraging the recipient's curiosity. The data collected by ESET does not reveal any successful compromises among the observed targets, although the attackers had conducted preventive reconnaissance activities and the messages were highly targeted. Technical analysis, however, confirmed that the exploit, once successful, could have deployed several backdoors used by the RomCom group – in particular a variant of SnipBot, RustyClaw and the Mythic agent.
ESET Research attributes the observed activities to RomCom with reasonable certainty, based on the geographic area targeted, the techniques used and the malware employed. RomCom (also known as Storm-0978, Tropical Scorpius or UNC2596) is a pro-Russian group that conducts both opportunistic campaigns targeting specific sectors and targeted espionage operations. In recent years the group has expanded its range of action to also include the collection of information for intelligence purposes, in parallel with more typically criminal activities. The employed backdoor is capable of executing commands and downloading additional modules on the infected computer. This is not the first time that RomCom has used exploits to compromise its victims: in June 2023 the group conducted a spearphishing campaign against government and defense bodies in Europe, using documents linked to the Ukrainian World Congress as bait.
"By exploiting an unknown zero-day vulnerability in WinRAR, the RomCom group demonstrated that it invested considerable resources and energy into its operations. The campaign targeted sectors that correspond to the typical interests of pro-Russian APT groups, suggesting a geopolitical motivation behind the operation," concludes Strýček.
For a detailed analysis and technical insight into the most recent RomCom campaign, the article is available "Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability” on the WeLiveSecurity.com blog. ESET Research updates can also be followed on Twitter (today X), BlueSky e Mastodon.
