A WinRAR zero-day vulnerability was exploited in the wild by the Russia-linked RomCom threat group, ESET reported Monday.The high-severity WinRAR flaw tracked as CVE-2025-8088 has a CVSS score of 8.4 and enables attackers to misuse alternate data streams (ADSs) to achieve path traversal on Windows.WinRAR users are encouraged to update to version 7.13, released on July 30, 2025, to resolve the vulnerability. Software that uses the Windows version of UnRAR.dll or its source code also require updates to resolve the flaw.Prior to its discovery by ESET researchers, CVE-2025-8088 was exploited by RomCom in an email spearphishing campaign attempting to spread three types of malware: Mythic, SnipBot and RustyClaw.A malicious archive, disguised as a job applicant’s curriculum vitae or resume, was attached to the emails and appeared to contain one benign PDF. However, through the use of alternate data streams, malicious files were hidden and deployed when the PDF was extracted and opened.These malicious, invisible ADSs use parent directory relative path elements (ex. “..\\”) to escape the intended directory and extract to locations such as %TEMP% and %LOCALAPPDATA% without the user’s awareness.A malicious LNK file Updater.lnk adds a registry value and sets it to %TEMP%\msedge.dll, using Component Object Model (COM) hijacking to execute the malicious msedge.dll whenever another executable attempts to load the legitimate npmproxy.dll.The DLL decrypts and deploys shellcode that facilitates communication to the attacker’s command-and-control (C2) server via the Mythic agent backdoor, a backdoor known to be used by RomCom.Another LNK file runs the malicious ApbxHelper.exe file stored at %LOCALAPPDATA%, which is a modified version of open-source Windows Secure Shell client PuTTYCAC with extra code that decrypts and deploys the SnipBot variant as shellcode. SnipBot is believed to be a variant of RomCom RAT enabling command execution and data exfiltration.A third malicious LNK file executes Complaint.exe, also stored at %LOCALAPPDATA%, which is the Rust-based downloader known as RustyClaw. RustyClaw further retrieves another payload from an external server, which is believed to be another RomCom downloader known as MeltingClaw, first identified by Proofpoint.The spearphishing emails are believed to be highly targeted, as the msedge.dll exits before deploying the Mythic agent if the target machine’s domain name does not match a hardcoded company name.ESET observed RomCom deploying these attacks against European and Canadian financial, manufacturing, defense and logistics companies between July 18 and July 21, 2025, and noted that the researchers at BI.ZONE separately identified related attacks against Russian organizations in early July.RomCom has been known to target zero-day vulnerabilities in the past, abusing the Windows Search vulnerability CVE-2023-36884 in June 2023 and chaining the Firefox animation timeline flaw CVE-2024-9680 and Windows Task Scheduler flaw CVE-2024-49039 in attacks in October 2024.
Vulnerability Management, Patch/Configuration Management, Threat Intelligence, Email security, Phishing, Malware, Exposure management
WinRAR zero-day exploited by RomCom threat group

(Credit: Ralf – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



