Ethical Hacking News
Russia-linked attackers affiliated with the RomCom group have been exploiting a high-severity vulnerability in WinRAR to launch targeted attacks on financial, manufacturing, defense, and logistics companies in Europe and Canada. As the threat landscape continues to evolve, organizations must prioritize software updates and cybersecurity measures to stay ahead of these highly-targeted attack groups.
Russia-linked attackers affiliated with RomCom group have been exploiting a high-severity vulnerability in WinRAR. The vulnerability, CVE-2025-8088, allows attackers to bypass security measures and gain unauthorized access to sensitive information. RomCom began abusing the security hole prior to the patch, which was released by WinRAR on July 31. At least one other gang, Paper Werewolf, also exploited the same vulnerability around the same time. RomCom has been linked to exploiting several zero-days in recent times, including CVE-2023-36884 and CVE-2024-9680. The ESET team warns that other threat actors may adopt the same exploit now that information about this vulnerability is publicly available.
In a shocking revelation, ESET researchers have discovered that Russia-linked attackers, affiliated with the highly-targeted attack group RomCom, have been exploiting a high-severity vulnerability in WinRAR, a popular Windows file archiver. The vulnerability, tracked as CVE-2025-8088, is a path-traversal flaw that affects the decompression tool, allowing attackers to bypass security measures and gain unauthorized access to sensitive information.
According to ESET senior malware researcher Anton Cherepanov, RomCom began abusing the security hole prior to the patch, which was released by WinRAR on July 31. The attackers launched spearphishing campaigns disguised as job application documents, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. While RomCom didn't manage to compromise its intended targets, at least one other gang, Paper Werewolf, also exploited the same vulnerability around the same time.
The ESET team analyzed an archive uploaded to VirusTotal from Germany, which contained a malicious executable named ApbxHelper.exe. The researchers found that this executable exploits the CVE-2025-8088 vulnerability, further solidifying the link between RomCom and the WinRAR exploit. Additionally, another malicious LNK file was identified, which runs a downloader named RustyClaw, also attributed to RomCom.
This is not the first time that RomCom has exploited a zero-day. Previous examples include CVE-2023-36884, a remote code execution (RCE) bug in Microsoft Word; CVE-**2024**-9680 chained with another previously-unknown vulnerability in Windows; and CVE-**2024**-49039, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, which also leads to arbitrary code execution.
Furthermore, Fancy Bear, a GRU cyber-espionage crew, has been linked to exploiting CVE-2023-38831 for large-scale phishing campaigns against high-value targets including government, defense, and aerospace agencies in the US and Europe. This highlights the ongoing cat-and-mouse game between cybersecurity professionals and threat actors.
The ESET team emphasizes that now that information about this vulnerability is publicly available, it's highly likely that other threat actors may adopt the same exploit. As a result, organizations are advised to update their software immediately and be cautious of potential indicators of compromise.
In conclusion, RomCom's exploitation of the WinRAR 0-day serves as a stark reminder of the ongoing threat landscape in the cybersecurity world. Organizations must remain vigilant and proactive in protecting themselves against emerging threats, lest they become the next target for these highly-targeted attack groups.
Related Information:
https://www.ethicalhackingnews.com/articles/Russias-RomCom-A-Highly-Targeted-Attack-Group-Exploiting-WinRAR-Vulnerabilities-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/11/russias_romcom_among_those_exploiting/
https://nvd.nist.gov/vuln/detail/CVE-2023-36884
https://www.cvedetails.com/cve/CVE-2023-36884/
https://nvd.nist.gov/vuln/detail/CVE-2024-9680
https://www.cvedetails.com/cve/CVE-2024-9680/
https://nvd.nist.gov/vuln/detail/CVE-2024-49039
https://www.cvedetails.com/cve/CVE-2024-49039/
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://www.cvedetails.com/cve/CVE-2023-38831/
https://nvd.nist.gov/vuln/detail/CVE-2025-8088
https://www.cvedetails.com/cve/CVE-2025-8088/
Published: Mon Aug 11 15:36:10 2025 by llama3.2 3B Q4_K_M
