A newly discovered zero-day vulnerability in WinRAR, tracked as CVE‑2025‑8088, has been actively exploited by the Russia-aligned cyber-espionage group RomCom. This flaw, found in Windows versions of WinRAR and related tools, allows attackers to violate file path boundaries, silently deploy malicious files, and gain persistent access to systems. The attack was detected by security researchers during live spear-phishing campaigns targeting companies in Europe and Canada.
How the Exploit Works
- Attack Vector: Highly targeted spear-phishing emails disguised as job applications, containing malicious RAR archives.
- Path Traversal via ADS: Hackers leverage alternate data streams (ADSes) to embed invisible, malicious files within a seemingly benign archive. WinRAR extracts these files into locations using path traversal techniques.
- Malware Delivery: Upon system reboot or user login, the dropped files execute via Component Object Model (COM) hijacking or shortcut link (LNK) files. These deploy backdoors such as Mythic Agent, SnipBot, and RustyClaw for command and control.(
- Targets: The campaigns struck organizations in the finance, defense, manufacturing, and logistics sectors across Europe and Canada.
Why Canadian Businesses Should be Ready
This attack is a reminder that everyday tools can become attack vectors, especially for small and midsize businesses (SMBs) who may lack automatic update infrastructure or cybersecurity maturity.
- Widespread Use: WinRAR is widely installed but lacks automatic updates, increasing the risk of unpatched systems.
- Focused Targeting: Spear-phishing using fake job applications can easily bypass traditional filters—especially within HR or operations teams.
- Espionage Risk: Backdoors like Mythic and SnipBot aren’t just nuisances; they can enable data theft, surveillance, and operational sabotage.
- Compliance Exposure: Unauthorized access or data breaches carry legal, financial, and reputational consequences, even for SMBs.
Sure Systems’ Recommendations
Make sure your infrastructure isn’t the next entry point:
- Update Immediately!
Install WinRAR version 7.13 (released July 30, 2025), which patches this vulnerability across affected tools like UnRAR.dll. - Audit Extraction and Email Risks
Scan for RAR files received recently, especially from external contacts, and be wary of resumes or HR-related attachments. - Harden System Defenses
Deploy endpoint management to enforce application control policies and restrict write privileges in critical directories. - Train Teams on Phishing Tactics
Educate staff, particularly HR and operations personnel, on recognizing nuanced, socially-engineered spear-phishing emails. - Implement Real-Time Monitoring
Use detection tools to identify suspicious file activity, such as unexpected drops to startup paths or COM hijacking behaviors.
Don’t Let Your Tools Put You at Risk
Don’t wait for an attack. Readiness is your best defense. Make sure your tools help you work at your best, instead of leaving you vulnerable.
Know your risk.
Schedule Your Free Cybersecurity Consultation →Sure Systems delivers tailored, proactive cybersecurity solutions, including managed endpoint hardening, email protection, and user awareness training, to stop threats before they start.