WinRAR vulnerability exposed by hackers linked to a Russian group, enabling sneaky installation of malware through a backdoor - zero-day flaw needs users to manually update for protection against this threat
The Russian-linked hacking group known as RomCom (also known as Storm-0978, Tropical Scorpius, Void Rabisu, or UNC2596) is currently active and exploiting a newly discovered zero-day vulnerability in WinRAR (CVE-2025-8088) to deploy malware and backdoors. This vulnerability, classified as a directory traversal flaw, allows RomCom to place malicious files in specific system directories, such as Windows Startup folders, enabling persistent remote code execution.
RomCom's targets have expanded beyond Ukraine to organizations across Europe, Canada, and North America, including sectors such as financial, manufacturing, defense, logistics, and government. Their campaigns often use spear-phishing emails carrying malicious RAR attachments disguised as job applications or CVs, carefully profiling their victims for espionage and cybercrime operations.
The group has been observed to use sophisticated malware including variants of SnipBot, RustyClaw (MeltingClaw), and the Mythic agent, which enable command execution, backdoor access, and modular payload delivery. RomCom’s activities combine opportunistic attacks on business verticals with targeted espionage, largely aligned with Russian geopolitical interests.
In response to this threat, WinRAR has released a new update (version 7.13) to fix the directory traversal flaw (CVE-2025-8088). It is recommended that users manually update their WinRAR software to ensure safety. The new update addresses a vulnerability that can trick file extraction into using a path defined in a specially crafted archive.
It is important to note that Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android are safe from this exploit. However, users should remain cautious when opening RAR file attachments, as they may contain malicious code.
This precise and ongoing campaign highlights RomCom’s evolution into a resourceful threat actor utilizing zero-days for strategic cyber operations targeting diverse international audiences. Users are advised to stay vigilant and practice safe computing habits to protect themselves from such threats.
[1] ESET Threat Report, 2025 [2] Kaspersky Secure List, 2025 [3] FireEye Mandiant Threat Intelligence Report, 2025 [4] Check Point Research, 2025 [5] CERT-UA Advisory, 2025
- The expanding cybersecurity threats from RomCom, a Russian-linked hacking group, have been detailed in various technology and general-news reports, such as the ESET Threat Report 2025, Kaspersky Secure List 2025, FireEye Mandiant Threat Intelligence Report 2025, Check Point Research 2025, and CERT-UA Advisory 2025.
- As cybercrime and justice issues grow increasingly complex, it is crucial for users to stay aware of the tactics employed by groups like RomCom, which have been observed to use zero-day vulnerabilities in technology like WinRAR for their espionage and cybercrime operations.
