WinRAR Zero-Day Exploited By Russian-State Sponsored Threat Actor
According to a new report published by ESET, WinRAR, a popular file-archiving utility, recently revealed a serious zero-day vulnerability that allowed attackers to infect computers with malware through seemingly harmless archives. Security researchers uncovered the active exploitation of this flaw by the Russian state-sponsored group known as RomCom.
Security researchers at ESET discovered on July 18, 2025, that WinRAR contained a previously unknown path-traversal zero-day vulnerability, now tracked as CVE-2025-8088. This flaw exploited Windows-specific archive handling, allowing attackers to embed alternate data streams (ADS) within RAR files, misleading WinRAR to place files in arbitrary system locations when extracting.
Specifically, malicious archives tricked WinRAR into dropping executable files into Windows Startup folders, such as:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (user-level)
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (system-wide)
When the system next booted or the user logged in, those executables ran automatically, giving attackers remote control. WinRAR fixed the flaw in version 7.13, released on July 30, 2025, but only manual updating can protect users, as no auto-update mechanism exists currently.
ESET researchers observed that RomCom is using this zero-day in spear-phishing campaigns. Emails crafted as job applications or CVs carried RAR attachments exploiting the vulnerability. When recipients extracted the archives, backdoors infiltrated their computers. These campaigns targeted financial, manufacturing, defense, and logistics companies across Europe and Canada. ESET noted that none of the observed targets were compromised in the reported instances, though the threats remained high.
RomCom, also tracked as Storm-0978, Tropical Scorpius, or UNC2596, is a sophisticated Russian-aligned hacking group that combines espionage with financially motivated operations. It has previously exploited zero-day vulnerabilities in Firefox, Tor Browser, and Microsoft Office. This marks yet another significant exploit used by the group.
RomCom's Techniques and Tool Set
Cisco Talos reported that the threat actor RomCom mounted a new series of cyberattacks against Ukrainian government entities and, likely, Polish targets starting in at least 2023. The group deployed an evolved version of its Remote Access Trojan (RAT), dubbed SingleCamper, which loads directly from the Windows registry into memory and communicates via a loopback address, enhancing stealth.
To deliver SingleCamper, UAT-5647 employs two downloaders, RustClaw (written in RUST) and MeltingClaw (written in C++), each designed to deploy specific backdoors. These backdoors include DustyHammock (RUST-based) and ShadyHammock (C++-based). DustyHammock serves as the main implant for command-and-control (C2) communications, while ShadyHammock orchestrates the loading and activation of SingleCamper on compromised systems.
Previously, RomCom was seen deploying another custom RAT, dubbed RomCom RAT by K7 Labs. The RAT is a particularly deceptive malware that attackers deliver by spoofing and deploying counterfeit versions of trusted applications. The sample under investigation carried a digital signature from a firm named "Noray Consulting Ltd.", which turned out to be fake, supported by a bogus LinkedIn profile and website. Once executed, the malicious installer dropped payloads into the C:\Users\Public\Libraries directory.
The RomCom RAT employed VMProtect to obfuscate its DLLs, making analysis more difficult. It also used a range of anti-debugging techniques, including checks against debuggers, CPU features, locale settings (notably terminating in Chinese, Japanese, or Korean environments), and encryption routines to hide static data such as URLs, registry values, filenames, and C2 addresses like "startleauge[.]net." The RAT used WinHttp APIs to pull down files from command-and-control servers and executed routines to search for active RDP sessions and enumerate running processes and files, enabling remote access and surveillance of the infected system.
K7 Labs emphasizes that RomCom's stealth and sophistication make it a significant threat. It layers encryption, environment checks, anti-debug defenses, and dynamic C2 communication to evade detection and maintain persistence. Further, RomCom continues to showcase a dual-purpose strategy, prioritizing long-term access for espionage, such as data exfiltration, while retaining the capacity to deploy ransomware later.
The group has significantly expanded its malware toolkit, incorporating components written in GoLang, C++, RUST, and LUA to increase flexibility and evade detection. In one particular tactic, it has tunneled internal network interfaces outward to attacker-controlled hosts using tools like PuTTY's Plink, thereby compromising edge devices and stealthily penetrating networks.
In order to defend against RomCom's use of the WinRAR zero day, ESET strongly advises the following actions be taken:
- Update to WinRAR 7.13 or later immediately. A manual download is required, as no autoupdate feature currently exists.
- Avoid extracting RAR files from untrusted sources, especially those disguised as CVs or applications.
- Maintain skepticism: phishing campaigns often use job-related lures, making them dangerous even if they look legitimate.
- Use endpoint protection: antivirus and anti-malware tools can detect suspicious activity, such as unauthorized executables in Startup folders.
- Educate users and IT staff on the risks of archived attachments and automatic execution.
- Monitor extraction locations and investigate anomalies, particularly in user Startup directories.
WinRAR's CVE-2025-8088 zero-day represented a critical security hole that allowed attackers to hide malicious files inside archive extraction, an elegantly simple yet profoundly effective technique. RomCom's campaigns demonstrate how zero-day flaws make phishing exponentially more dangerous, enabling stealthy, automated compromise at scale.
Safe computing requires patched software and educated users. The absence of auto-updates in WinRAR places extra responsibility on individuals and organizations. Anyone using WinRAR on Windows should manually update to version 7.13 or later to block this path traversal vulnerability.
Users sharply reduce their risk by understanding how zero-days work, recognizing the tactics of spear-phishing campaigns, and swiftly responding to patches. This episode serves as a timely reminder that even everyday tools like file extractors can become devastating weapons in the wrong hands.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion