A newly discovered WinRAR zero-day flaw has been exploited in active phishing campaigns by the RomCom hacking group. The vulnerability allows attackers to execute malicious files automatically at system startup. Security experts warn users to update immediately to avoid compromise.
RomCom Hackers Weaponize WinRAR Vulnerability
Security researchers from ESET revealed that the flaw, tracked as CVE-2025-8088, is a directory traversal vulnerability. It enables specially crafted archive files to extract malicious executables into the Windows Startup folder. Once there, the malware runs automatically each time the system boots.
The RomCom threat actor, also known as Storm-0978, Tropical Scorpius, or UNC2596, used spear-phishing emails to deliver these malicious archives. Targets received convincing lures that, once opened, initiated the infection process.
High-Profile Threat Actor with a Zero-Day Track Record
RomCom has conducted previous ransomware and data theft campaigns and often uses zero-day exploits. The group operates within Russian cybercriminal networks and frequently targets high-value victims.
Patch Released, but Manual Updates Required
The vendor released WinRAR version 7.13 to fix the zero-day flaw. However, WinRAR does not include an automatic update mechanism. Users must manually download and install the latest version from the official website to secure their systems.
Mitigation Steps
Security experts recommend the following actions:
- Update to WinRAR 7.13 immediately
- Avoid opening archive files from unknown sources
- Enable endpoint security tools that can detect suspicious file behavior
Conclusion
The WinRAR zero-day flaw highlights the risks of unpatched software and the persistence of advanced threat actors like RomCom. With the exploit now publicly known, unpatched systems face heightened risk. Users should act quickly to install the latest version and remain alert to phishing threats.
0 responses to “WinRAR Zero-Day Flaw Exploited by RomCom Hackers in Targeted Attacks”