Overview

• The flaw tracked as CVE-2025-8088 is a path traversal vulnerability leveraging alternate data streams to force extraction of attacker-controlled payloads.
• Spearphishing emails sent from July 18 to 21 carried malicious RAR archives disguised as resumes to target financial, manufacturing, defense and logistics firms in Europe and Canada.
• ESET attributes the campaign with high confidence to RomCom based on tactics, targets and malware while Russian firm Bi.zone reports a separate actor called Paper Werewolf exploiting related CVEs in Russia.
• WinRAR developers received ESET’s report on July 24 and issued a beta fix the next day followed by a full update on July 30; manual patching remains critical due to the absence of an automatic updater.
• No confirmed compromises were observed but successful exploitation would have deployed modular backdoors—SnipBot, RustyClaw and Mythic Agent—capable of command execution, persistence and additional module downloads.