A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability as part of a cyberespionage campaign aimed at organizations in Europe and Canada.
The zero-day is tracked as CVE-2025-8088 and it has been described as a path traversal flaw involving the use of alternate data streams. It allows an attacker to create specially crafted archives that cause WinRAR to extract files to a path defined by the attacker rather than the path specified by the user.
Cybersecurity firm ESET discovered the attacks and reported the vulnerability to WinRAR developers. The security hole was patched with an update released on July 30 — a beta version containing the fix was made available on July 25, just one day after ESET’s notification.
According to ESET, the attacks involving CVE-2025-8088 were conducted by a Russia-linked threat actor named RomCom (aka Storm-0978, Tropical Scorpius, and UNC2596).
RomCom is known for conducting both cyberespionage and opportunistic cybercrime operations. This is not the first time the hackers have exploited zero-day vulnerabilities in attacks aimed at targets in Europe and North America.
In the attacks exploiting the WinRAR zero-day, first observed by ESET on July 18, the hackers used spearphishing emails to send malicious archives disguised as resumes to the targeted individuals. The emails were highly targeted, suggesting that the attackers had conducted reconnaissance to increase their chances of success.
The attacks were aimed at financial, defense, manufacturing, and logistics companies in Canada and Europe.
The cybersecurity firm said none of the targets were compromised. Had the attack been successful, the specially crafted archives were designed to deploy various backdoors, including ones named SnipBot, RustyClaw, and Mythic Agent.
ESET pointed out that CVE-2025-8088 is similar to CVE-2025-6218, another path traversal vulnerability patched recently in WinRAR.
According to Russian security firm Bi.zone, CVE-2025-6218 and CVE-2025-8088 were exploited recently by a threat actor it tracks as Paper Werewolf to target organizations in Russia, including an equipment manufacturer.
Related: Russian Cyberspies Target Foreign Embassies in Moscow via AitM Attacks: Microsoft
Related: Cyberattack On Russian Airline Aeroflot Causes the Cancellation of More Than 100 Flights
Related: Russian APT Hits Ukrainian Government With New Malware via Signal
