WinRAR Zero-Day Exploited by Russian RomCom Hackers to Plant Backdoors
Share this article
In a targeted campaign blending social engineering and software exploitation, the Russian-aligned RomCom hacking group weaponized a zero-day vulnerability in WinRAR to compromise victims through seemingly innocent archive files. Tracked as CVE-2025-8088, this critical directory traversal flaw—patched in WinRAR 7.13—enabled attackers to bypass security controls and plant malware in system startup folders for automatic execution.
Anatomy of an Archive Ambush
The vulnerability, discovered by ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček, stems from improper path validation during file extraction. Attackers crafted malicious RAR archives that manipulated WinRAR’s unpacking logic, overriding user-specified destinations. As detailed in the WinRAR 7.13 changelog:
"Previous versions of WinRAR can be tricked into using a path defined in a specially crafted archive instead of the user-specified path."
This allowed RomCom to deposit executables into critical Windows autorun locations:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup # User-specific
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp # System-wide
Upon the victim’s next login, these payloads executed automatically, granting attackers persistent remote access. Unix-based systems and RAR for Android remain unaffected.
The RomCom Playbook: Phishing Meets Zero-Day
ESET confirmed active exploitation in spearphishing attacks delivering RomCom backdoors. Researcher Peter Strýček stated:
"ESET observed spearphishing emails with RAR attachments exploiting CVE-2025-8088. RomCom is a Russia-aligned group known for sophisticated intrusion campaigns."
RomCom (aka Storm-0978) has a history of leveraging zero-days for ransomware deployment and data theft, with ties to Cuba and Industrial Spy operations. Their modus operandi combines custom malware, credential harvesting, and lateral movement tools—making this WinRAR exploit a gateway to potentially devastating network compromises.
The Update Imperative
WinRAR’s lack of automatic updates compounds the risk. With over 500 million users worldwide, countless systems remain vulnerable until manually patched. Security teams should:
1. Immediately update to WinRAR 7.13
2. Block RAR attachments in enterprise email filters
3. Monitor startup folder changes for unauthorized executables
When Trusted Tools Turn Trojan Horses
This incident highlights how ubiquitous software becomes a prime target for advanced threat actors. RomCom’s operational sophistication—weaponizing a compression utility vulnerability before disclosure—demonstrates the escalating arms race in supply chain attacks. As ESET prepares a full technical analysis, organizations must recognize that even mundane tools demand rigorous patching protocols. In an era of persistent threats, the convenience of familiar software can mask catastrophic risks.
Source: BleepingComputer