Blog

RomCom Hackers Have Exploited WinRAR

by | Sep 2, 2025 | DTV, malware, Phishing, RAR archive, RomCom, Russian Hackers, WinRAR

 

A new WinRAR vulnerability is being exploited in phishing campaigns, allowing hackers to silently install malware on vulnerable PCs.

WinRAR is a file compression tool used by millions all over the world to open and create RAR files. However, this has marked it out as a tempting target for hackers. As such, the discovery of a zero-day vulnerability has put millions of PC users at risk of malware. The attack, which is being spread via phishing emails, stems from RomCom, a hacking group originating from Russia. The infection has the potential to compromise personal data and the security of IT infrastructures, so it’s being treated as highly serious.

The Dangers of Vulnerable Software

The newly discovered vulnerability, which has been assigned the CVE-2025-8088 identification, is what those in the know call a directory traversal vulnerability (DTV). Readers of this blog, though, are less likely to know what a DTV is, so we’ll break it down for you. A DTV allows malicious files to be hidden inside an RAR archive which can then be placed in sensitive parts of a PC’s file system. Naturally, this is all done stealthily in the background, with the end user none the wiser of what’s happened.

The attack tends to target the Windows Startup folder, a process which automatically runs any programs stored within it each time the PC boots up. So, if one of these malicious RAR files has been opened, RomCom’s malware can quietly be entered into the Startup folder and will relaunch every time the PC is booted up. This enables it to constantly harvest data, record user activity, and download further malware.

ESET, the cybersecurity company who discovered the flaw, have confirmed that RomCom are the hacking group behind this attack. RomCom are well-known within the cybersecurity community, so this attack has come as little surprise, with phishing campaigns remaining highly popular among hackers. The emails deployed by RomCom are disguised to appear as though they originate from trusted organizations or known contacts – this is to encourage targets to open the emails without a second thought.

One of the problems with this vulnerability is that WinRAR doesn’t have an in-built automatic update feature. Therefore, many WinRAR users won’t even be aware that their software is out of date and at risk of being exploited.

Turning the Tables on Phishing Attacks

 

Many organizations use WinRAR, so it’s paramount that you know how to keep your IT systems safe from this attack. You can help secure your defenses by actioning these best practices:

  • Update WinRAR Manually: If you’re a user of WinRAR, don’t assume that you have the latest update in place. Head to the official WinRAR website and download version 7.13 or later. These versions will include the patch which protects you from the RomCom vulnerability.
  • Scrutinize All RAR Attachments: While you should be suspicious of all email attachments, you and your employees should be on high alert of any RAR attachments received by email. If you do receive one via email, take time to verify it. If it’s sent by someone you know, contact them through another communication channel to confirm it’s genuine. RAR attachments from unknown sources should be handed to an IT professional to verify.
  • Monitor Your Startup Programs: We take our PCs for granted, and that extends to the startup process. However, monitoring your startup process – and the programs which load when Windows starts – could provide you with an early warning that something malicious is on your PC. If something unusual does appear, disable it immediately.

For more ways to secure and optimize your business technology, contact your local IT professionals.

You May Also Like:

Windows WordPad Flaw Exploited to Infect PCs  Spica: New Malware Launched by Russian Hackers Office Macros Disabled: What the Hackers Did Next What Should You Do When You Receive a Phishing Email?