Russia’s RomCom among those exploiting a WinRAR 0-day in highly-targeted attacks

August 11, 2025 TH Author

Russia-linked attackers found and exploited a high-severity WinRAR vulnerability before the maintainers of the Windows file archiver issued a fix.

The bug, tracked as CVE-2025-8088, is a path-traversal flaw that affects the Windows version of the decompression tool. It received an 8.4 CVSS rating and, according to WinRAR, has been patched in the newest version, 7.13, released on July 31.

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” according to the security advisory.

So if you haven’t already: update now, and check for these indicators of compromise because RomCom found and exploited the bug as a zero-day.

ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek discovered and reported the vulnerability, and told The Register that the Russia-aligned crew plus at least one other criminal group began abusing the security hole prior to the patch.

“Most RomCom-related activity occurred between July 18 and July 21,” ESET senior malware researcher Anton Cherepanov told The Register, noting that the team hasn’t observed any similar exploitation since then.

These RomCom exploits were very targeted attacks against financial, manufacturing, defense, and logistics companies in Europe and Canada, used in spearphishing campaigns disguised as job application documents. “According to ESET telemetry, there were approximately a dozen potential victims,” Cherepanov said.

While RomCom didn’t manage to compromise its intended targets, ESET reports, at least one other gang, Paper Werewolf, also exploited CVE‑2025‑8088 around the same time, according to Russian cybersecurity company BI.ZONE. It’s unclear how many of these attempts were successful.

Plus, “it’s important to note that now that information about this vulnerability is publicly available, it’s highly likely that other threat actors may adopt the same exploit,” Cherepanov said.

And as BI.ZONE noted: at the end of June a miscreant who goes by “zeroplayer” posted an ad for a working WinRAR zero-day exploit for $80,000 on a cybercrime forum.

“This suggests that [CVE‑2025‑8088] may be related to this exploit,” The Russian researchers wrote. “It is possible that the Paper Werewolf group acquired it and modified it to carry out their attacks.”

ESET originally discovered the vuln after coming across a malicious DLL named msedge.dll in a RAR archive containing unusual paths. Upon further inspection, the threat hunters found that the attackers were exploiting a previously unknown WinRAR bug.

CVE-2025-8088 uses alternate data streams (ADSes) for path traversal,” the ESET trio wrote in a Monday report, noting that the Zero Day Initiative reported a similar WinRAR path traversal vulnerability (CVE‑2025‑6218) on July 19.

The attacks begin with a phishing email that looks like a job application and contains a CV that appears to be benign. However, this file also contains many malicious ADSes to increase the criminals’ chances for successful compromise — but these are all hidden from the victim.

Once the victim opens the CV, however, WinRAR unpacks it along with all its ADSes. It also deploys a malicious LNK file into the Windows startup directory to achieve persistence via execution on user login.

RomCom backdoors

The RAR files always contain two malicious files: the LNK file and a DLL or EXE, and some of them also contain various RomCom backdoors including a SnipBot variant, RustyClaw, and Mythic agent.

The Mythic agent attack chain contains a hardcoded domain name of the target. The malicious DLL file that decrypts and executes the shellcode also retrieves the domain name for the current machine, which includes the company name. If this doesn’t match the hardcoded name of the target organization, the malware exits.

“This means that the attackers had conducted reconnaissance beforehand, confirming that this email was highly targeted,” the ESET team noted.

The second execution chain contains a variant of SnipBot, which Palo Alto Networks’ Unit 42 previously attributed to RomCom by UNIT 42. The malicious executable, ApbxHelper.exe, is a modified version of PuTTY CAC (a forked version fork of PuTTY), and is signed with an invalid code-signing certificate.

This one also uses an interesting anti-malware-analysis technique: it only executes the shellcode if the computer recently opened at least 69 earlier documents to ensure that the malware doesn’t run in an empty virtual machine or sandbox.

ESET researchers also spotted an identical executable, ApbxHelper.exe within Adverse_Effect_Medical_Records_2025.rar, uploaded to VirusTotal from Germany. “This archive also exploits the CVE-2025-8088 vulnerability,” the trio wrote.

In the third case, the malicious LNK file runs a downloader named RustyClaw. It’s written in Rust and Cisco Talos previously attributed it to RomCom.

RustyClaw downloads and executes another payload that partially matches the analysis of MeltingClaw by Proofpoint. MeltingClaw is also linked to RomCom.

According to ESET, this is at least the third time that RomCom has exploited a zero-day. This includes CVE-2023-36884, a remote code execution (RCE) bug in Microsoft Word; CVE‑2024‑9680 chained with another previously-unknown vulnerability in Windows; and CVE‑2024‑49039, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, which also leads to arbitrary code execution.

Plus, RomCom isn’t the only Russia-linked crew to abuse WinRAR holes. Fancy Bear, the GRU cyber-espionage crew, previously exploited CVE-2023-38831 for large-scale phishing campaigns against high-value targets including government, defense, and aerospace agencies in the US and Europe. ®