A Russian threat group has been linked to a series of attacks exploiting the recently patched WinRAR zero-day vulnerability (CVE-2025-8088). The path traversal flaw allows attackers to manipulate file extraction paths, putting sensitive data at risk.
The attack vector used by the hackers, dubbed RomCom, involved sending spearphishing emails with malicious archives disguised as resumes to targeted individuals in Europe and Canada. The attacks affected financial, defense, manufacturing, and logistics companies.
Fortunately, none of the targets were compromised. However, if successful, the specially crafted archives would have deployed various backdoors, including SnipBot, RustyClaw, and Mythic Agent.
This is not the first time RomCom has exploited zero-day vulnerabilities. The group is known for conducting cyberespionage and opportunistic cybercrime operations. In related attacks, Russian security firm Bi.zone reported exploitation of CVE-2025-6218 by Paper Werewolf to target organizations in Russia.
Microsoft recently warned about a new attack vector involving AitM malware targeting foreign embassies in Moscow. The WinRAR zero-day vulnerability has been patched with an update released on July 30.
Source: https://www.securityweek.com/russian-hackers-exploited-winrar-zero-day-in-attacks-on-europe-canada