Zero-Day Vulnerability in WinRAR Actively Exploited by Hackers to Target Critical Industries

A new security flaw has been discovered in WinRAR, a popular file compression tool. Cyber security experts warn that RomCom, a hacking group is already exploiting this weakness, identified as CVE-2025-8088.

The issue enables attackers to hide harmful files within harmless looking archives. When a user extracts these files, the hidden malware can be quietly installed in critical areas of the computer system. From there, it can run automatically, giving hackers complete control.

On July 30, 2025, the WinRAR team released a security patch to address the issue. Experts highly advise all users to upgrade WinRAR and related tools as soon as possible to ensure their security.

This is a path traversal vulnerability, which means attackers may trick WinRAR into storing files outside of the intended folder. They achieve this through alternate data streams, a Windows feature that allows additional hidden data to be saved with files.

RomCom utilized this technique to hide malicious DLL files (program files) and LNK files (shortcuts) in system directories.This permits the malware to run each time the PC starts.

Between July 18 and July 21, 2025, the hacking group RomCom targeted businesses in finance, manufacturing, defense, and logistics across Europe and Canada. They sent out phishing emails that appeared to be job applications but were not. These emails contained RAR file attachments that concealed the malicious files inside.

ESET security researchers stated that no companies were attacked during this campaign, but the attacks were well planned. They identified three primary methods utilized: Mythic Agent, which runs malicious code and connects to a hacker's server; SnipBot, which only operates if it detects that the computer is being used and MeltingClaw, which downloads further malicious files from the internet. All of these strategies were intended to prevent detection by security software.

RomCom, also known as Storm-0978 or Tropical Scorpius has a long record of exploiting zero-day vulnerabilities, defects that are unknown to software makers at the time of exploitation. In June 2023, they exploited a Microsoft Word flaw (CVE-2023-36884). In October 2024, they exploited two more flaws, including one in Firefox (CVE-2024-9680), to install hidden backdoors on targeted systems. Their operations range from financially motivated attacks to espionage against specific sectors.

ESET researchers also discovered that another, unknown gang began exploiting the most recent WinRAR flaw (CVE-2025-8088) immediately after RomCom did. Fortunately, the WinRAR team responded quickly, publishing a fix just one day after being notified, thereby reducing the danger and limiting potential damage.

This latest WinRAR flaw demonstrates how rapidly cyber criminals may exploit newly found flaws. Even trusted tools might become points of attack if they are not maintained up to date. If you use WinRAR, update to the current version right away to close this security flaw and keep the system safe.

Information referenced in this article is from Infosecurity Magazine