RomCom Continues Exploiting Zero-Day Vulnerabilities With CVE-2025-8088

Russian-aligned threat group RomCom (aka Storm-0978, Tropical Scorpius, or UNC2596) has been observed conducting a targeted cyberespionage campaign exploiting CVE-2025-8088, a then-zero-day vulnerability in WinRAR. According to ESET, this operation took place from July 18 to July 21, 2025, and targeted financial, manufacturing, defense, and logistics organizations in Europe and Canada. No successful compromises were reported, but the campaign reflects the group’s continued focus on leveraging zero-days to achieve its objectives. The flaw, a path traversal vulnerability in the Windows version of WinRAR, allowed attackers to execute arbitrary code by delivering specially crafted archives. Following ESET’s disclosure to the WinRAR developers, a fix was issued in version 7.13 on July 30, 2025. The group’s motive is assessed as espionage and intelligence collection, and the activity is attributed to RomCom with high confidence based on observed TTPs and targeting.

ESET’s analysis revealed that the intrusion began with spearphishing emails impersonating job applicants, delivering malicious archive files. While presenting a single visible file to the victim, these archives contained multiple alternate data streams (ADSes) that unpacked to drop a DLL into the %TEMP% directory and a shortcut (LNK) file into the Windows Startup folder for persistence. These ADSes were crafted with varying path traversal depths, accompanied by dummy data to obscure the malicious content from casual inspection. Once extracted, the LNK file initiated one of several distinct malware execution chains, each tailored for different payloads and operational goals.

In the Mythic agent execution chain, the malicious LNK added a registry value under "HKCU\SOFTWARE\Classes\CLSID{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32" pointing to "%TEMP%\msedge.dll," enabling COM hijacking for persistence and execution. This DLL decrypted embedded shellcode via AES, which included hardcoded domain checks for target validation before deploying a Mythic command-and-control profile. The SnipBot variant chain involved an LNK launching "%LOCALAPPDATA%\ApbxHelper.exe," a modified PuTTY fork signed with an invalid certificate. Execution only proceeded if a specific registry key indicated a minimum number of documents had recently been opened, acting as an anti-analysis safeguard. If conditions were met, the malware decrypted shellcode to fetch additional payloads from remote infrastructure. The MeltingClaw chain leveraged "%LOCALAPPDATA%\Complaint.exe" (RustyClaw), a Rust-based downloader signed with another invalid certificate, which retrieved the MeltingClaw loader from an external server for further control and operations.

ESET notes that RomCom’s exploitation of CVE-2025-8088 reflects a broader operational pattern, with prior incidents including the use of CVE-2023-36884 in 2023 and CVE-2024-9680 in 2024. "This is not the first time that RomCom has used exploits to compromise its victims. In June 2023, the group performed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to the Ukrainian World Congress," warns ESET researchers. Adding, "By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations." Concerns remain over wider exploitation of CVE-2025-8088 as a public proof-of-concept is available. ESET advises all users of WinRAR and related components to update to version 7.13 or later to mitigate exposure to this vulnerability.