WinRAR Zero-Day Flaw Exploited by RomCom Hackers in Phishing Attacks
A recently fixed WinRAR vulnerability, tracked as CVE-2025-8088, has been exploited as a zero-day in phishing attacks to install the RomCom malware. The flaw is a directory traversal vulnerability that allows specially crafted archives to extract files into a file path selected by the attacker.
The Vulnerability
The WinRAR 7.13 changelog reveals that this flaw can be exploited by tricking previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll into using a path defined in a specially crafted archive instead of the user-specified path.
Using this vulnerability, attackers can create archives that extract executables into autorun paths, such as the Windows Startup folder. This allows the attacker to achieve remote code execution, which means the executable will automatically run the next time a user logs in.
The Threat
WinRAR does not include an auto-update feature, making it essential for users to manually download and install the latest version from win-rar.com. This ensures they are protected from this vulnerability.
According to ESET researchers, Anton Cherepanov, Peter Košinár, and Peter Strýček, the flaw was actively exploited in phishing attacks to install malware. Spearphishing emails with attachments containing RAR files were sent to unsuspecting users, exploiting the CVE-2025-8088 vulnerability.
The Malware Behind the Attack
The RomCom backdoors delivered through these phishing attacks are linked to a Russian hacking group known as RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596). This group is notorious for its use of zero-day vulnerabilities in attacks and custom malware.
RomCom has previously been associated with ransomware operations, data-theft extortion attacks, and campaigns focused on stealing credentials. The group's tactics are designed to create persistence and act as backdoors.
ESET's Response
Anton Strýček from ESET told BleepingComputer that the researchers have observed spearphishing emails with attachments containing RAR files, which were actively exploited to deliver RomCom backdoors.
The ESET team is working on a report regarding this exploitation, which will be published at a later date. In the meantime, users are advised to manually download and install the latest version of WinRAR from win-rar.com to protect themselves against this vulnerability.
Stay Safe Online
The recent exploit of the WinRAR zero-day flaw by RomCom hackers in phishing attacks serves as a reminder to be cautious when opening emails with attachments, especially those from unknown senders. Stay informed and keep your software up-to-date to protect yourself against such threats.