The cybersecurity firm ESET has raised the alarm after discovering a new attack method that takes advantage of a zero-day vulnerability in WinRAR, the popular software for compressing and decompressing files. The discovery reveals that a cybercriminal group, linked to Russian interests, has been using this flaw to hide malware in RAR files disguised as job applications, with the aim of deceiving very specific victims.

The research, carried out in July 2025, shows that these attacks have primarily targeted companies in the financial, defense, manufacturing, and logistics sectors in Europe and Canada. Although the campaign was detected early and no confirmed compromises were recorded, the case makes it clear that hackers are perfecting their methods to break into critical systems.

How the attack works and why WinRAR is key

The attack vector discovered by ESET is based on a previously unknown vulnerability, which allowed path traversal through the use of alternative data streams (ADS). Simply put, attackers could hide malicious files inside a RAR file, without the user noticing anything strange when opening it.

The deception began with a spearphishing email that included a compressed file named after a resume, for example: Eli_Rosenfeld_CV2 – Copy (10).rar. When opened in WinRAR, the program extracted not only the "harmless" file the user saw, but also several hidden components, such as a malicious DLL in the temporary folder and an LNK file that was installed at Windows startup to ensure the malware persisted.

The most dangerous thing is that this exploit ran silently, without the user having to do anything other than extract the file. This way, the attacker could execute remote commands, download additional modules, and spy on the compromised system. WinRAR released a patched version (7.13) just a day after being notified, but by then the vulnerability had already been exploited.

Who's behind it and who are they targeting?

ESET attributes this attack to the Rom Com group, also known as Storm-0978, Tropical Scorpius, or UNC2596. This is a Russian-aligned group that combines cybercrime operations with espionage missions, especially against strategic sectors that may have geopolitical relevance.

Rom Com is not new to this. In the past, it has exploited vulnerabilities in Microsoft Word (June 2023) and in browsers such as Firefox, Thunderbird, and Tor (October 2024). This would be at least the third time it has been detected exploiting a zero-day "in the wild," which highlights its access to advanced resources and technical knowledge.

The potential victims of this campaign appear to have been chosen with caution: defense companies, banks, manufacturers, and logistics operators that handle sensitive information and that, if infiltrated, could become a source of high-value intelligence. According to ESET, the attack fits perfectly with the typical interests of APT (advanced persistent threat) groups linked to Moscow.

An urgent reminder for users

Although no compromised victims were reported on this occasion, the incident is a clear warning: updating your software is essential. The vulnerability not only affects WinRAR, but also utilities that depend on its UnRAR.dll library, which expands the scope of the problem.

ESET recommends installing the latest version of WinRAR and any tools that use its components, as well as exercising extreme caution with files received by email, even if they appear legitimate. Spearphishing remains one of the most effective techniques because it appeals to the user's curiosity or urgency to open the file.

The case also highlights how cyberespionage operations are intertwined with more conventional cybercrime tactics. For Rom Com, stealing confidential data is just as much a matter of installing a backdoor to sell access to other actors. And as long as vulnerabilities continue to appear, these groups will continue to look for ways to exploit them before they are patched.