{"id":2230,"date":"2025-08-11T16:51:32","date_gmt":"2025-08-11T16:51:32","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/08\/11\/new-winrar-zero-day-exploited-by-romcom-hackers\/"},"modified":"2025-08-11T16:51:32","modified_gmt":"2025-08-11T16:51:32","slug":"new-winrar-zero-day-exploited-by-romcom-hackers","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/11\/new-winrar-zero-day-exploited-by-romcom-hackers\/","title":{"rendered":"New WinRAR Zero-Day Exploited by RomCom Hackers"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A newly discovered vulnerability in WinRAR has been exploited in the wild by the Russia-aligned cyber group RomCom.<\/p>\n<p>According to an advisory published by ESET researchers earlier today, the flaw, tracked as CVE-2025-8088, allows attackers to conceal malicious files in an archive that are silently deployed during extraction.<\/p>\n<p>A patch was released on July 30\u00a02025, and users are urged to upgrade immediately.<\/p>\n<h2>How the Attack Works<\/h2>\n<p>The path traversal vulnerability, enabled through alternate data streams, affects\u00a0multiple components, including WinRAR\u2019s Windows command-line utilities, UnRAR.dll and the portable UnRAR source code.<\/p>\n<p>By crafting archives to appear harmless, attackers hide malicious DLLs and LNK files that are deployed to system directories, enabling persistence and code execution.<\/p>\n<p>Between July 18 and 21, RomCom used spear-phishing emails to target financial, manufacturing, defense and logistics firms in Europe and Canada. The emails carried job application lures with RAR file attachments.<\/p>\n<p>According to ESET, no successful compromises were observed during this campaign.<\/p>\n<p><em>Read more on advanced persistent threat tactics: Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers<\/em><\/p>\n<p>The security researchers identified three distinct attack chains:<\/p>\n<ul>\n<li>\n<p>Mythic agent: Used COM hijacking to execute a malicious DLL, which then decrypted and ran shellcode linked to a command-and-control (C2) server<\/p>\n<\/li>\n<li>\n<p>SnipBot variant: Delivered via a modified PuTTY CAC executable that only ran if the system showed signs of real-world use, such as a high number of recently opened documents<\/p>\n<\/li>\n<li>\n<p>MeltingClaw (RustyClaw): A downloader written in Rust that retrieved additional payloads from remote servers<\/p>\n<\/li>\n<\/ul>\n<p>Each chain leveraged hardcoded domain checks or anti-analysis techniques to avoid detection in test environments.<\/p>\n<h2>A Pattern of Zero-Day Exploits<\/h2>\n<p>RomCom, also known as Storm-0978, Tropical Scorpius\u00a0or UNC2596, has a history of exploiting previously unknown vulnerabilities.<\/p>\n<p>In June 2023, it abused CVE-2023-36884 in Microsoft Word, and in October 2024, it chained two vulnerabilities, including CVE-2024-9680 in Firefox, to deliver backdoors. The group engages in both financially motivated attacks and targeted espionage.<\/p>\n<p>ESET noted that another unidentified threat actor began exploiting CVE-2025-8088 shortly after RomCom. The speed of the WinRAR team\u2019s patch release, just one day after being informed, was highlighted as critical in reducing exposure.<\/p>\n<p>Security experts recommend immediate updates to WinRAR and related components to mitigate the risk from this flaw.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly discovered vulnerability in WinRAR has been exploited in the wild by the Russia-aligned cyber group RomCom. According to an advisory published by ESET researchers earlier today, the flaw, tracked as CVE-2025-8088, allows attackers to conceal malicious files in an archive that are silently deployed during extraction. A patch was released on July 30\u00a02025<\/p>\n","protected":false},"author":2,"featured_media":2231,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2230-274eeb0a-86ac-4864-a63e-5142622a949b-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2230"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2230\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2231"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2230"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}