In July 2025, security researchers uncovered active exploitation of a critical zero-day vulnerability in WinRAR, the widely used file-archiving utility. The flaw, now designated CVE-2025-8088, enabled attackers to implant malware via seemingly innocuous archive files. The exploitation was attributed to RomCom, a sophisticated, Russian state-aligned threat actor with a history of combining espionage and financially motivated campaigns.
Discovery and Technical Details of CVE-2025-8088
The vulnerability was first detected on July 18, 2025, during an investigation into spear-phishing attacks targeting organizations across Europe and Canada. The flaw was a path traversal vulnerability that exploited Windows-specific archive handling. By embedding alternate data streams (ADS) in RAR files, attackers manipulated WinRAR into writing files to arbitrary locations on the host file system.
The technique proved particularly dangerous when malicious files were written to Windows Startup folders:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (per-user)
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (system-wide)
Upon system restart or user logon, the malicious executables were automatically executed, granting attackers remote control of the compromised system.
WinRAR version 7.13, released on July 30, 2025, patched the flaw. However, the utility’s lack of an auto-update mechanism means users must manually download and install the update, leaving many systems potentially exposed.
RomCom Delivery via Spear-Phishing Campaigns
Researchers observed RomCom leveraging this vulnerability in spear-phishing campaigns. The attackers crafted convincing emails, often masquerading as job applications or CV submissions, with weaponized RAR attachments. When recipients extracted these archives, backdoors were silently deployed.
While no confirmed compromises were reported in the monitored incidents, the campaigns targeted high-value sectors including finance, manufacturing, defense, and logistics, indicating a strong interest in strategic intelligence gathering.
RomCom’s Broader Tactics and Tool Set
RomCom, also tracked as Storm-0978, Tropical Scorpius, and UNC2596, has repeatedly demonstrated advanced offensive capabilities. Since at least 2023 the group has targeted Ukrainian governmental entities and Polish organizations using an evolved malware ecosystem.
One notable component is the SingleCamper RAT, designed for in-memory execution directly from the Windows registry and configured to communicate over a loopback interface for stealth. RomCom delivers SingleCamper via two specialized downloaders:
- RustClaw (Rust): deploys the DustyHammock RUST-based backdoor for primary C2 communication.
- MeltingClaw (C++): deploys the ShadyHammock C++-based loader responsible for activating SingleCamper.
The group also integrates tunneling techniques to expose internal network interfaces to attacker-controlled hosts using utilities such as PuTTY’s Plink, enabling deeper network penetration and lateral movement.
The RomCom RAT
Researchers have previously documented RomCom’s custom RomCom Remote Access Trojan (RAT), a highly deceptive implant often distributed via trojanized versions of legitimate software. The examined sample carried a fraudulent code-signing certificate from “Noray Consulting Ltd.,” supported by fabricated online personas and websites.
Upon execution, the RAT dropped payloads into C:\Users\Public\Libraries, used VMProtect to obfuscate its DLLs, and implemented extensive anti-debugging checks, including CPU feature validation and locale-based execution blocks, often seen terminating in Chinese, Japanese, or Korean environments.
The malware encrypted sensitive static data, including URLs, registry keys, filenames, and C2 domains such as startleauge[.]net, and relied on WinHttp APIs for C2 communications. It also actively enumerated running processes, listed files, and searched for live RDP sessions, facilitating both surveillance and system control.
Threat Profile and Dual-Purpose Strategy
RomCom’s operations blend long-term espionage with the latent capability to execute ransomware attacks, depending on operational objectives. Its multi-language development approach, using GoLang, C++, Rust, and LUA, enables modularity and increases resilience against signature-based detection.
The group’s campaigns exhibit a consistent focus on stealth, persistence, and flexibility, traits that elevate its threat level for both governmental and private sector targets.
Defensive Recommendations
Guidance for mitigating CVE-2025-8088 and RomCom-related activity includes:
- Update WinRAR immediately to version 7.13 or later via manual download from the official site.
- Avoid extracting archives from untrusted sources, especially those distributed in unsolicited job applications or similar lures.
- Maintain phishing awareness training to help staff identify social engineering attempts.
- Deploy advanced endpoint protection to detect suspicious process creation in Startup folders and other persistence locations.
- Monitor file system changes, particularly in known auto-execution directories.
- Investigate anomalies in archive extraction behavior and outbound network traffic patterns.
Given WinRAR’s widespread use and absence of automated updates, organizations must adopt proactive patching policies and incorporate reliable vulnerability scanning for outdated versions.
Operational Implications for Security Teams
The exploitation of CVE-2025-8088 illustrates several operational imperatives for defenders:
- Zero-day exploitation chains can weaponize non-browser, non-document utilities, underscoring the need for comprehensive application inventory and monitoring.
- Archive file vetting should be treated with the same caution as macro-enabled Office files or executable downloads.
- Threat hunting efforts should expand to detect persistence in Startup folders, registry run keys, and other auto-start locations.
- Incident response playbooks must address malicious ADS use and path traversal in file extraction workflows.
The RomCom case demonstrates that archive utilities, often considered low-risk, can become high-impact attack vectors when paired with advanced social engineering.
RomCom is neither Romantic nor Funny
The exploitation of WinRAR’s CVE-2025-8088 by RomCom highlights the operational danger of seemingly benign software vulnerabilities. By embedding malware directly into the extraction process, RomCom effectively bypassed many traditional user-awareness defenses, relying on default system behavior to execute its payloads.
Coupled with its mature RAT ecosystem, modular tool set, and evolving delivery infrastructure, RomCom poses a persistent and adaptable threat to targeted organizations. The group’s blending of espionage objectives with potential ransomware deployment further complicates attribution and response prioritization.
Security teams must treat application-level zero-days with urgency equal to that given to network-facing vulnerabilities. Manual patching requirements, as seen with WinRAR, add another layer of operational risk that adversaries will continue to exploit. Ultimately, mitigation depends on a combination of rapid vulnerability management, continuous endpoint monitoring, and sustained user education.
