Cybersecurity researchers have uncovered that the Russian hacking group RomCom exploited a previously unknown flaw in WinRAR, tracked as CVE-2025-8088, in a series of zero-day attacks. The vulnerability was identified as a path traversal bug that enabled attackers to drop malicious payloads onto victims’ systems.

According to a report published by ESET, the flaw was discovered on July 18, 2025, when RomCom began using it in live campaigns. The issue stemmed from the abuse of alternate data streams (ADS) within specially crafted RAR archives. These archives contained hidden payloads designed to extract malicious files into specific Windows directories, including %TEMP%, %LOCALAPPDATA%, and the Startup folder, allowing malware to persist across reboots.

WinRAR released a patched version (7.13) on July 30, 2025, after being alerted by ESET. However, the official advisory at the time did not mention ongoing exploitation.

ESET’s analysis revealed three attack chains delivering different RomCom malware families:

The malicious archives also contained numerous invalid ADS entries. ESET believes these were deliberately added to create harmless-looking warnings in WinRAR, masking the presence of the true malware payloads.

This is not the first time RomCom has exploited zero-day flaws. The group, also known as Storm-0978 and Tropical Scorpius, has previously leveraged vulnerabilities in Firefox and Microsoft Office.

Russian cybersecurity company Bi.Zone separately reported that another cluster, tracked as Paper Werewolf, also abused CVE-2025-8088 and a related bug, CVE-2025-6218.

While Microsoft added native RAR support to Windows in 2023, its limited functionality means many enterprises still rely on WinRAR, making it an attractive target for attackers.

WinRAR developers confirmed that they had not received user complaints and were only provided with technical details necessary to release the patch. Since WinRAR lacks an auto-update feature, users must manually download and install the latest version to stay protected.