Phishing Attacks Exploit WinRAR Flaw CVE-2025-8088 to Install RomCom
A devastating new vulnerability has been discovered in the popular file archiver WinRAR, which has been exploited by attackers in a series of phishing attacks to deliver the notorious RomCom malware. The flaw, identified as CVE-2025-8088, is a directory traversal bug that was fixed in version 7.13 of the software.
Researchers from ESET, Anton Cherepanov, Peter Košinár, and Peter Strýček, first reported the vulnerability to Bleeping Computer. According to these experts, the flaw allows attackers to execute arbitrary code by crafting malicious archive files that can be opened with WinRAR. This exploitation creates a pathway for attackers to deliver RomCom malware.
The CVE-2025-8088 vulnerability is a path traversal bug affecting the Windows version of WinRAR, allowing attackers to place executables in the Windows Startup folder. When these applications are run at login time, they enable remote code execution, making it easier for attackers to compromise systems.
How Attackers Exploit the Vulnerability
"ESET has observed spear-phishing emails with attachments containing RAR files," said Peter Strýček, an ESET researcher. These archives exploited the CVE-2025-8088 to deliver RomCom backdoors. The attackers used spear-phishing tactics to send targeted emails with malicious attachments to specific users.
Researchers believe that the threat actor behind RomCom is a Russia-linked cyberespionage group, which has previously carried out ransomware and data-theft extortion attacks. This latest exploit follows two Firefox and Tor Browser zero-day vulnerabilities in attacks on users across Europe and North America at the end of 2024.
The RomCom Malware
RomCom, also known as UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, is a highly advanced piece of malware that has been linked to several high-profile attacks in the past.
This malware has been used for ransomware and data-theft extortion attacks. Its sophisticated nature makes it difficult to detect and remove from infected systems.