Russian Hackers Take Advantage of WinRAR Zero-Day Vulnerability

A Russian-speaking hacking collective has been observed exploiting a zero-day vulnerability in WinRAR, signaling a notable transition from traditional cybercrime to more sophisticated cyberespionage tactics. This shift highlights the ongoing capabilities of the group, known as RomCom, which has evolved substantially since it first emerged.

The campaign, uncovered by researchers at Eset, began in July and has leveraged a specific vulnerability tracked as CVE-2025-8088, characterized as a path traversal flaw. In response to Eset’s disclosure, WinRAR issued a patch on July 31 to mitigate the risk posed by this vulnerability.

Historically, RomCom, also identified by aliases such as Storm-0978, Tropical Scorpius, and UNC2596, primarily focused on ransomware deployment. However, following Russia’s invasion of Ukraine in 2022, the group has shifted its activities towards cyberespionage operations that align with the interests of the Kremlin, while still engaging in conventional cybercriminal methods. This latest endeavor marks the third known instance where RomCom has exploited a zero-day vulnerability, underscoring its sustained focus on acquiring and utilizing exploits for targeted strikes, as noted by researchers.

Initial access in this campaign is primarily achieved through phishing emails masquerading as job applications. Attackers have exploited the alternate data stream attribute inherent to the Windows NTFS file system, allowing them to embed malicious code that the WinRAR application automatically unpacks. The attackers utilize multiple alternate data stream entries containing fictitious data to obfuscate their payloads effectively.

Further analysis revealed three distinct infection chains employing varying forms of malware. The first involves Mythic Agent, utilizing DLL execution through component object model hijacking, allowing the malicious script to collect the domain name of the affected machine—typically its corporate identity—and terminate if the value does not match expected targets. This indicates that attackers performed preparatory reconnaissance to tailor their attacks precisely.

Another variant involves the Snipbot malware, introduced via a compromised LNK file that replaces a legitimate copy of PuTTY, a widely used secure shell terminal. This strategy further highlights the group’s innovative approach to obscuring their operations.

Additionally, the attack employs the RustyClaw downloader, which subsequently drops a related downloader identified as MeltingClaw, attributed to RomCom by cybersecurity experts at Proofpoint. The multitude of techniques employed in these attacks illustrates a sophisticated understanding of the MITRE ATT&CK framework, specifically tactics surrounding initial access, execution, and persistence.

The sectors targeted in this operation align closely with interests commonly associated with Russian-aligned advanced persistent threat (APT) groups, indicating a potential geopolitical motivation behind the assault. Concurrently, another hacking group, known as Paper Werewolf and Goffee, is also exploiting the WinRAR vulnerability to target Russian enterprises, showcasing broader implications and activity related to this flaw.

Phishing campaigns that impersonate legitimate job offers have historically been used by North Korean hackers, but this tactic has now permeated the global cybercriminal landscape, emphasizing the need for heightened vigilance across all sectors.