Breaking News: Russian Cybercrime Group Actively Exploiting WinRAR Zero-Day Vulnerability
Recent discovery of WinRAR exploit ties to Russian hacking collective, potentially installing backdoor malware - zero-day vulnerability calls for manual update to rectify issue
A Russian cybercrime group, known as RomCom or Storm-0978, Tropical Scorpius, or UNC2596, is currently taking advantage of a zero-day vulnerability in the WinRAR software, named CVE-2025-8088. This vulnerability, discovered recently, is being actively exploited in targeted attacks, primarily against entities in Europe and Canada, with potential expansion to other regions.
The group uses spearphishing emails with malicious RAR archives, crafted to exploit this directory traversal flaw. When extracted using vulnerable WinRAR versions, these archives place executables in the Windows Startup folder, ensuring automatic execution on reboot. This installation of a backdoor grants full remote code execution, providing the attackers with a powerful tool for remote control, credential theft, lateral movement, and potential ransomware deployment.
This exploitation of CVE-2025-8088 marks a shift in RomCom's operations towards espionage, focusing on intelligence collection aligned with Russian geopolitical interests. This campaign is consistent with RomCom's history of using zero-day exploits, including past vulnerabilities in Microsoft Word, Firefox, and Windows components.
The infection chain typically involves initial access through targeted spearphishing emails carrying malicious RAR files, exploitation via directory traversal during the RAR extraction process, payload execution installing the backdoor, and persistence and post-compromise activities such as downloading additional modules, conducting credential theft, sensitive file exfiltration, lateral network movement, and data destruction or ransomware extortion.
ESET researchers have confirmed RomCom's exploitation of CVE-2025-8088 with high confidence, based on tactics, targets, malware signatures, and infrastructure. Other threat actors are also exploiting this vulnerability, including one independently discovered by Russian cybersecurity firm BI.ZONE, which targeted Russian organizations via spearphishing.
To mitigate ongoing attacks, the WinRAR maintainers have released a patch for the vulnerability. Users are strongly advised to manually update their WinRAR software to the latest version (7.13) to address both CVE-2025-8088 and a previous vulnerability, CVE-2025-6218, which was discovered in June.
It's important to note that the vulnerability does not affect Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android. However, the flaw in WinRAR can be tricked into using a path defined in a specially crafted archive instead of the user-specified path during file extraction, potentially installing backdoor malware on Windows PCs.
RomCom, linked to Russia, primarily targets entities in Ukraine but has recently broadened its scope to include organizations and audiences in the U.S., Europe, and those connected to Ukraine-related humanitarian efforts. This active exploitation of CVE-2025-8088 underscores the importance of staying vigilant and updating software regularly to protect against such threats.
[1] ESET Research, "RomCom APT Group Exploits WinRAR Zero-Day Vulnerability CVE-2025-8088 in Active Espionage Campaigns," link, accessed [date]. [2] BI.ZONE, "Russian Cybersecurity Firm Discovers New WinRAR Zero-Day Vulnerability," link, accessed [date]. [3] WinRAR, "WinRAR 7.13 Released - Addresses CVE-2025-6218 and CVE-2025-8088 Vulnerabilities," link, accessed [date]. [4] Trend Micro, "WinRAR Zero-Day Vulnerability CVE-2025-8088 Exploited in Active Attacks," link, accessed [date]. [5] Check Point Research, "RomCom APT Group Shifts Focus to Espionage Operations, Exploits WinRAR Zero-Day Vulnerability CVE-2025-8088," link, accessed [date].
- The exploitation of CVE-2025-8088 by RomCom is a major concern for the technology industry, particularly in the realms of general-news and crime-and-justice, as it highlights the ongoing threats posed by cybercrime groups.
- In the era of rapidly evolving technology, staying updated with the latest security patches, such as the one for CVE-2025-8088 in WinRAR, is essential to ensure cybersecurity and fend off such malicious activities.
