Russia's romantic comedy movies leveraging WinRAR zero-day vulnerability in focused cyberexploits
In a recent cybersecurity incident, the Russia-aligned RomCom group has been found to have exploited a high-severity vulnerability in the Windows version of WinRAR. The vulnerability, identified as CVE-2025-8088, is a directory traversal flaw that allows attackers to craft malicious archives, placing executable files in sensitive system locations like the Windows Startup folder. This results in remote code execution upon system restart.
The exploit was primarily used via spearphishing emails with malicious RAR attachments to deploy persistent backdoors, including the Mythic Agent, a variant of SnipBot, and the RustyClaw downloader. The targeted sectors were primarily defense, finance, manufacturing, and logistics across Europe and Canada.
The RomCom group, also known by aliases such as Storm-0978, UNC2596, and Tropical Scorpius, has a history of using multiple zero-day exploits. Previous exploits include CVE-2023-36884 (Microsoft Word RCE), CVE-2024-9680 chained with CVE-2024-49039 (browser exploit), and now CVE-2025-8088 (WinRAR).
The impact of this exploit was significant due to its ability to allow stealthy, persistent infection on high-value targets. RomCom leveraged advanced tactics like anti-analysis techniques and system checks to evade detection. Despite active exploitation observed between July 18-21, 2025, no confirmed successful compromises were reported during that campaign. However, the vulnerability posed a serious risk due to the ease of remote code execution and persistence it afforded.
Other Russia-linked groups have also exploited WinRAR vulnerabilities. For instance, Fancy Bear, a GRU cyber-espionage group, exploited a different WinRAR vulnerability, CVE-2023-38831, in large-scale phishing campaigns targeting government, defense, and aerospace sectors in the US and Europe.
The vulnerability CVE-2025-8088 has been patched in WinRAR version 7.13, and immediate updating is strongly recommended to defend against ongoing exploitation. The flaw exploits improper path validation combined with Windows Alternate Data Streams to hide malicious payloads and gain persistent remote access.
In summary:
- Vulnerability: CVE-2025-8088 (WinRAR directory traversal)
- Exploiting Group: RomCom (Russia-aligned APT)
- Impact: Remote code execution, persistent backdoors, targeted spearphishing attacks in Europe & Canada
- Other Exploiting Groups: Fancy Bear (exploited other WinRAR CVEs)
- Patch: WinRAR v7.13 (released July 30, 2025)
- Attack Methods: Phishing emails with malicious RAR files, backdoors (Mythic Agent, SnipBot, RustyClaw), anti-analysis tactics
This exploitation highlights RomCom’s continued use of zero-days for cybercrime and espionage and illustrates broader Russian interest in WinRAR vulnerabilities for targeted attacks.
