RomCom exploits WinRAR zero-day in targeted espionage

ESET researchers warn that a newly discovered WinRAR zero-day, tracked as CVE-2025-8088, is being actively exploited by the Russia-aligned RomCom group in targeted espionage operations. The flaw is a path traversal vulnerability in WinRAR for Windows that lets attackers execute arbitrary code via specially crafted archive files.

Key takeaways:

• Attack vector: spearphishing campaigns delivering malicious archives
• Affected sectors: financial, manufacturing, defense, and logistics
• Regions targeted: Europe and Canada
• Impact: arbitrary code execution on victim systems
• Threat actor: RomCom, now seen leveraging its third major zero-day

Why it matters
This vulnerability gives adversaries a direct route to run code on compromised machines, opening the door to credential theft, data exfiltration, and long-term espionage if left unpatched.

What to do now

• Update WinRAR to the latest release (version 7.13) immediately
• Be cautious with unsolicited archive files; verify senders and sources
• Where possible, open unknown archives in a sandboxed environment
• Monitor endpoints for unusual processes launched from archive handlers

Learn more
ESET’s Chief Security Evangelist Tony Anscombe provides a video overview of the attacks and additional technical details in the accompanying blogpost.

Source: WeLiveSecurity