Particle.news
Download on the App Store
4 ARTICLES
·
2d ago

RomCom Hackers Exploit WinRAR Zero-Day to Deliver Persistent Backdoors

ESET researchers documented active attacks using the fixed traversal flaw to install malware into Windows startup folders.

WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware

Overview

  • CVE-2025-8088 is a directory traversal flaw in Windows versions of WinRAR that enables attacker-defined extraction paths, a weakness discovered by ESET researchers Anton Cherepanov, Peter Košinár and Peter Strýček.
  • RomCom threat actors exploited the flaw as a zero-day in spear-phishing campaigns, using crafted RAR archives to place executables into Windows Startup folders and achieve persistent remote code execution.
  • WinRAR 7.13 includes the patch for the vulnerability, but users must manually download and install the update, as the application lacks an auto-update feature.
  • Unix builds of RAR and UnRAR and the Android version of WinRAR are not affected by this vulnerability, limiting the exploit to Windows clients.
  • RomCom, a Russia-aligned hacking group known for zero-day exploits, ransomware and credential-theft extortion, has been observed targeting users in Europe and North America and ESET is finalizing a detailed disclosure report.