A previously unknown vulnerability in WinRAR has been actively exploited by Russian-aligned hackers to infiltrate corporate networks through sophisticated spearphishing campaigns disguised as job applications.
The zero-day flaw, tracked as CVE-2025-8088, represents the third major exploit deployed by the notorious RomCom group, highlighting the escalating threat landscape facing enterprise users of the popular archiving software.
ESET researchers discovered the attacks on July 18, 2025, when they observed malicious archives masquerading as resumes from job seekers with names like "Eli Rosenfeld" and "Pepita Cordero." The campaigns targeted financial, manufacturing, defense, and logistics companies across Europe and Canada between July 18-21, 2025.
The vulnerability exploits a path traversal flaw using alternate data streams (ADSes), allowing attackers to hide malicious files within seemingly benign archives. When victims extract what appears to be a single CV document, the malware silently deploys backdoors to system directories, including Windows startup folders, for persistence.
"The attackers specially crafted the archive to apparently contain only one benign file, while it contains many malicious ADSes with no indication from the user's point of view," ESET researchers explained in their technical analysis.
The exploit leverages Windows' alternate data streams feature to execute a sophisticated sleight-of-hand attack. Multiple execution chains were identified, deploying various backdoors including SnipBot variants, RustyClaw downloaders, and Mythic agents with command-and-control servers hosted on compromised domains.
Industry Impact and Attribution
RomCom (also known as Storm-0978 and UNC2596) isn't the only threat actor exploiting this vulnerability – security researchers confirmed that at least one additional group began leveraging CVE-2025-8088 shortly after RomCom's initial deployment, indicating the exploit's rapid proliferation in cybercriminal circles.
The discovery underscores RomCom's evolution from opportunistic cybercrime to sophisticated state-sponsored espionage operations. The group has consistently demonstrated advanced capabilities, previously exploiting zero-days in Microsoft Word (CVE-2023-36884) and Firefox browsers (CVE-2024-9680).
At the time of writing the story, Cyber Kendra found that POC code for the CVE-2025-8088 has already been released on GitHub. So, we strongly recommend updating the WinRaR to the latest.
Immediate Action Required
WinRAR developers responded swiftly after ESET's July 24 notification, releasing a patched version 7.13. However, the vulnerability affects more than just the main WinRAR application – software solutions relying on publicly available Windows versions of UnRAR.dll or corresponding source code are also vulnerable.
Users must immediately update to WinRAR 7.13 or later. Organizations should also audit any applications incorporating UnRAR libraries and ensure all dependencies are updated to prevent exploitation through third-party integrations.
The rapid weaponization of this vulnerability by multiple threat actors demonstrates the critical importance of maintaining current software versions, particularly for widely-deployed utilities like WinRAR that handle potentially malicious user content.