Urgent Security Alert: Critical WinRAR Vulnerability Exploited in Targeted Attacks
Table of Contents
Security researchers have discovered and disclosed a critical vulnerability (CVE-2025-8088) in WinRAR, which is currently being actively exploited by the Russia-aligned hacking group RomCom (also known as Storm-0978, tropical Scorpius, and UNC2596) in spearphishing campaigns. Crucially, WinRAR lacks an auto-update mechanism, requiring users to manually download and install the latest version from win-rar.com to mitigate the risk. This vulnerability allows attackers to execute arbitrary code through specially crafted RAR archives.
Details of the vulnerability and Exploitation
The vulnerability was identified by Anton Cherepanov, Peter Košinár, and Peter Strýček of ESET. According to Peter Strýček, the group is leveraging the flaw to deliver RomCom backdoors via malicious RAR file attachments in phishing emails. These attacks have been observed targeting organizations globally, wiht a particular focus on credential theft and establishing persistent access to compromised systems.
RomCom has a documented history of exploiting zero-day vulnerabilities and deploying custom malware. Their tactics include the use of backdoors for long-term access and data exfiltration. The group has been linked to several high-profile ransomware operations, including Cuba ransomware, first observed in 2019, and Industrial Spy, which emerged in late 2022 targeting industrial control systems and intellectual property.
RomCom: A Persistent Threat Actor
RomCom’s operations are characterized by a complex approach, often utilizing previously unknown vulnerabilities in widely used software. They have previously exploited zero-days in Firefox and Windows, demonstrating a willingness to invest in advanced attack techniques. The group’s malware, including a variant dubbed “Snipbot” identified in late 2023, is designed for stealthy data theft and persistence. Snipbot specifically targets sensitive data like browser credentials and cookies.
ESET is currently preparing a detailed report on the exploitation of CVE-2025-8088, which will provide further technical analysis and indicators of compromise (IOCs). The report is expected to be released in the coming weeks.
Mitigation and Long-Term Security
Given WinRAR’s lack of automatic updates, manual intervention is the only reliable method to address this vulnerability. Organizations and individuals are strongly urged to promptly download and install the latest version of WinRAR from the official website. Beyond patching, implementing robust email security measures, including spam filtering and employee training on identifying phishing attempts, is crucial. Regular security audits and vulnerability scanning can also help identify and address potential weaknesses in your systems.
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
