A zero-day vulnerability (CVE-2025-8088) has been discovered in the popular archiver WinRAR, which is already being actively used by the pro-Russian group RomCom for cyberattacks on international enterprises.
A zero-day vulnerability (CVE-2025-8088) has been discovered in the popular archiver WinRAR, which is already being actively used by the pro-Russian group RomCom for cyberattacks on international enterprises.
According to The Cyber Express, the vulnerability is related to path traversal through the use of Windows Alternative Data Streams (ADS), which allows malicious files to be hidden inside seemingly safe RAR archives. Victims receive archives with supposedly resumes or official documents, and after unpacking, malicious code is launched without warning.
RomCom, also known as Storm-0978, UNC2596, or Tropical Scorpius, is not the first zero-day exploiter. It previously exploited vulnerabilities in Microsoft Word (CVE-2023-36884) and a chain of attacks through Firefox and Windows (CVE-2024-9680, CVE-2024-49039). The current campaign targets financial, manufacturing, defense, and logistics companies in Europe and Canada.
ESET experts, who first reported CVE-2025-8088, recorded that the malicious archives contained ADS entries with nested paths to place the DLL in %TEMP% and a .LNK file in the Windows startup folder, which provides resilience through COM hijacking.
WinRAR released a fix on July 30, so users are advised to update to version 7.13 or later, as well as implement monitoring of unpacking processes and additional checking of suspicious attachments, especially those related to job vacancies.
Experts warn that common utilities like WinRAR can become powerful tools for espionage operations. In the case of RomCom, this is further evidence that the group has made the use of zero-days a key part of its strategy.
We also previously wrote about how CERT-UA reports new cyberattacks: hackers targeted forestry, forensic institutions, and factories. The UAC-0099 hacker criminal group, which gained access to several dozen computers in Ukraine during 2022–2023, is again carrying out cyberattacks.
