Russian 'RomCom' Hackers Exploit WinRAR Flaw Via Phishing Emails
Security researchers at ESET have sounded the alarm about a new vulnerability in WinRAR, a popular file archiver software used by millions of users worldwide. The bug, dubbed CVE-2025-8088, was quietly patched on July 30 with version 7.13 of WinRAR, but Russian hackers from a group known as RomCom began exploiting it through phishing emails starting from Friday.
According to ESET, the hackers are using a sophisticated phishing campaign to trick companies in Europe and Canada into opening booby-trapped archives containing malicious files. The emails appear to come from interested job applicants and contain an attached resume inside the malicious RAR archive. However, upon closer inspection, the attachments contain hidden malware that can extract files to a hacker-selected destination on the PC.
The vulnerability allows hackers to create a malicious archive that can automatically extract files to the Windows startup directory, causing a PC to immediately run them upon startup. This can lead to the installation of backdoors that can be used to secretly steal data from an infected computer.
How Does It Work?
In normal circumstances, WinRAR extracts files from an archive to a user-selected destination. However, ESET researchers discovered that the Russian hackers are exploiting a bug in WinRAR that causes it to extract files to a hacker-selected destination on the PC. Specifically, RomCom's booby-trapped archives can extract hidden malicious files to the Windows startup directory, causing a PC to immediately run them upon startup.
The installed backdoors can then be used to secretly steal data from an infected computer. To achieve this, the hackers use phishing emails that pretend to come from interested job applicants and contain attached resumes inside the malicious RAR archive.
Targeted Companies
ESET reports that the phishing email campaign targeted financial, manufacturing, defense, and logistics companies in Europe and Canada between July 18-21. According to ESET telemetry, none of the targets were compromised during this period. However, it is clear that the hackers had conducted reconnaissance beforehand, making their emails highly targeted.
Successful exploitation attempts delivered various backdoors used by the RomCom group – specifically, a SnipBot variant, RustyClaw, and the Mythic agent. These backdoors can be used to gain remote access to infected computers and steal sensitive data.
Patch Availability
WinRAR patched the vulnerability with version 7.13 on July 30. However, there is a catch – WinRAR does not have an auto-update mechanism, which means users will need to manually install the new version to protect themselves from the flaw.
ESET reported the threat to WinRAR on July 18, leading to its software developer rolling out the patch in version 7.13. Users are urged to update their software as soon as possible to avoid falling victim to this exploit.
Other Threat Actors
In a disturbing finding, ESET revealed that another threat actor, known as Paper Werewolf, had also begun exploiting the CVE-2025-8088 vulnerability in phishing emails. These emails pretended to come from a Russian research institute and targeted companies with similar interests.
This second threat actor began exploiting the flaw just a few days after RomCom started doing so, highlighting the widespread nature of this security issue.