Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild. Previous examples include the abuse of CVE-2023-36884 via Microsoft Word in June 2023, and the combined vulnerabilities assigned CVE‑2024‑9680 chained with another previously unknown vulnerability in Windows, CVE‑2024‑49039, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, leading to arbitrary code execution in the context of the logged-in user in October 2024.

Key points of this blogpost:

• If you use WinRAR or other affected components such as the Windows versions of its command line utilities, UnRAR.dll, or the portable UnRAR source code, upgrade immediately to the latest version.
• On July 18^th, 2025, ESET researchers discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild.
• Analysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2025-8088: a path traversal vulnerability, made possible with the use of alternate data streams. After immediate notification, WinRAR released a patched version on July 30^th, 2025.
• The vulnerability allows hiding malicious files in an archive, which are silently deployed when extracting.
• Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and Mythic agent.
• This campaign targeted financial, manufacturing, defense, and logistics companies in Europe and Canada.

RomCom profile

RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations. The backdoor commonly used by the group is capable of executing commands and downloading additional modules to the victim’s machine.

The discovery of CVE-2025-8088

On July 18^th, 2025, we observed a malicious DLL named msedge.dll in a RAR archive containing unusual paths that caught our attention. Upon further analysis, we found that the attackers were exploiting a previously unknown vulnerability affecting WinRAR, including the then-current version, 7.12. On July 24^th, 2025, we contacted the developer of WinRAR, and on the same day, the vulnerability was fixed and WinRAR 7.13 beta 1 published. WinRAR 7.13 was published on July 30^th, 2025. Users of WinRAR are advised to install the latest version as soon as possible to mitigate the risk. Note that software solutions relying on publicly available Windows versions of UnRAR.dll or its corresponding source code are affected as well, especially those that have not updated their dependencies.

The vulnerability, tracked as CVE-2025-8088, uses alternate data streams (ADSes) for path traversal. Note that a similar path traversal vulnerability (CVE‑2025‑6218) affecting WinRAR was disclosed on June 19^th, 2025, approximately a month earlier.

The attackers specially crafted the archive to apparently contain only one benign file (see Figure 1), while it contains many malicious ADSes (there’s no indication of them from the user’s point of view).

Once a victim opens this seemingly benign file, WinRAR unpacks it along with all its ADSes. For example, for Eli_Rosenfeld_CV2 – Copy (10).rar, a malicious DLL is deployed into %TEMP%. Likewise, a malicious LNK file is deployed into the Windows startup directory, thereby achieving persistence via execution on user login.

To ensure higher success, the attackers provided multiple ADSes with increasing depths of parent directory relative path elements (..\\). However, this introduces nonexistent paths that WinRAR visibly warns about. Interestingly, the attackers added ADSes that contain dummy data and are expected to have invalid paths. We suspect that the attackers introduced them so that the victim does not notice the suspicious DLL and LNK paths (see Figure 2). Only when scrolling down in the WinRAR user interface are the suspicious paths revealed, as seen in Figure 3.

Compromise chain

According to ESET telemetry, such archives were used in spearphishing campaigns from the 18^th to 21^st July, 2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. Table 1 contains the spearphishing emails – sender, subject, and filename of the attachment – used in the campaigns, and Figure 4 shows the message we observed in an email. In all cases, the attackers sent a CV hoping that a curious target would open it. According to ESET telemetry, none of the targets were compromised.

Table 1. Spearphishing emails observed in ESET telemetry

These RAR files always contain two malicious files: a LNK file, unpacked to the Windows startup directory, and a DLL or EXE, unpacked to either %TEMP% or %LOCALAPPDATA%. Some of the archives share the same malware. We have identified three execution chains.

Mythic agent execution chain

In the first execution chain, depicted in Figure 5, the malicious LNK file Updater.lnk adds the registry value HKCU\SOFTWARE\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 and sets it to %TEMP%\msedge.dll. This is used to trigger execution of that DLL via COM hijacking. Specifically, the CLSID corresponds to the PSFactoryBuffer object present in npmproxy.dll. As a result, any executable trying to load it (e.g., Microsoft Edge) will trigger code execution of the malicious DLL. This DLL is responsible for decrypting embedded shellcode via AES and subsequently executing it. Interestingly, it retrieves the domain name for the current machine, which typically contains the company name, and compares it with a hardcoded value, exiting if the two values do not match. This means that the attackers had conducted reconnaissance beforehand, confirming that this email was highly targeted.

The loaded shellcode appears to be a dynamichttp C2 profile for the Mythic agent having the following C&C server: https://srlaptop[.]com/s/0.7.8/clarity.js.

It comes with a standard configuration for the dynamichttp C2 profile and a custom one, which is displayed in Figure 6. Just like in the previous stage, this configuration contains a hardcoded domain name of the target.

{'disable_etw': '2', 'block_non_ms_dlls': '3', 'child_process': 'wmic.exe', 'use_winhttp': 1, 'inject_method': '1', 'dll_side': ['MsEdge', 'OneDrive'], 'domain': '[REDACTED]'}

Figure 6. Custom configuration in the Mythic execution chain

SnipBot variant execution chain

In the second execution chain, which is depicted in Figure 7, the malicious LNK file Display Settings.lnk runs %LOCALAPPDATA%\ApbxHelper.exe. It is a modified version of PuTTY CAC, which is a fork of PuTTY, and is signed with an invalid code-signing certificate. The extra code uses the filename as a key for decrypting strings and the next stage, which is shellcode. The shellcode appears to be a variant of SnipBot, malware attributed to RomCom by UNIT 42. Execution of the shellcode only proceeds if a specific registry value (68 for this sample) is present in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\ registry key (in other words, if at least 69 documents were recently opened); this is an anti-analysis technique to prevent execution in an empty virtual machine or sandbox. If at least 69 documents were recently opened, next-stage shellcode is decrypted using the registry key name (e.g., 68, but converted from string to integer), and executed, downloading yet another stage from https://campanole[.]com/TOfrPOseJKZ.

We also found an identical ApbxHelper.exe within Adverse_Effect_Medical_Records_2025.rar, uploaded to VirusTotal from Germany. This archive also exploits the CVE-2025-8088 vulnerability.

MeltingClaw execution chain

In the third execution case, which is depicted in Figure 8, the malicious LNK file Settings.lnk runs %LOCALAPPDATA%\Complaint.exe, which is RustyClaw – a downloader written in Rust previously analyzed by Talos. This sample is signed with an invalid code-signing certificate, which is different from the code-signing certificate used in the SnipBot variant. RustyClaw downloads and executes another payload, from https://melamorri[.]com/iEZGPctehTZ. This payload (SHA-1: 01D32FE88ECDEA2B934A00805E138034BF85BF83), with internal name install_module_x64.dll, partially matches the analysis of MeltingClaw by Proofpoint, a different downloader attributed to RomCom. The C&C server of the MeltingClaw sample that we observed is https://gohazeldale[.]com.

Attribution

We attribute the observed activities to RomCom with high confidence based on the targeted region, TTPs, and malware used.

This is not the first time that RomCom has used exploits to compromise its victims. In June 2023, the group performed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to the Ukrainian World Congress. The Microsoft Word document attached to the email attempted to exploit the CVE‑2023‑36884 vulnerability, as documented by the BlackBerry Threat Research and Intelligence team.

On October 8^th, 2024, the group exploited a then-unknown vulnerability in the Firefox browser. The exploit targeted a use-after-free vulnerability in Firefox Animation timelines, allowing an attacker to achieve code execution in a content process, with the objective of delivering the RomCom backdoor. The vulnerability identifier CVE‑2024‑9680 was assigned, as documented in our WeLiveSecurity blogpost.

Other activities

We are aware that this vulnerability has also been exploited by another threat actor, and was independently discovered by the Russian cybersecurity company BI.ZONE. Notably, this second threat actor began exploiting CVE‑2025‑8088 a few days after RomCom started doing so.

Conclusion

By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations. This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks. The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation.

We would like to thank the WinRAR team for its cooperation and quick response, and recognize its effort in releasing a patch within just one day.

Thanks to Peter Košinár for his assistance in the analysis.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This table was built using version 17 of the MITRE ATT&CK framework.