RomCom Group Deployed SnipBot, RustyClaw and Mythic Agent Variants
A Russian speaking hacking group is exploiting a zero-day flaw in WinRAR, a sign of the group’s growing sophistication and evolution from a cybercrime outfit into a cyberespionage operation.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Researchers at security firm Eset uncovered the campaign, which has been active since July. The campaign exploited a vulnerability now tracked as CVE-2025-8088, a path traversal vulnerability. WinRAR published a patch July 31 after Eset researchers alerted the company.
RomCom, also tracked as Storm-0978, Tropical Scorpius and UNC2596, mainly deployed ransomware in the past. Since Russia’s 2022 invasion of Ukraine, the group has conducted cyberespionage operations aligned with Kremlin interests, along with conventional cybercrime operations. “This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks,” Eset researchers said about the latest campaign.
It begins with phishing emails disguised as job applications. Hackers took advantage of the alternate data stream attribute in the Windows NTFS file system to embed malicious code that WinRAR automatically unpacked. Attackers use multiple alternate data stream entries with dummy data and invalid paths to hide their payloads.
Researchers observed three infection chains deploying different malware:
“The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation,” Eset researchers said.
In addition to RomCom, another threat group tracked as Paper Werewolf and Goffee is exploiting the WinRAR flaw to target Russian companies, Moscow-based Bi.zone said.
Hacking campaigns using job impersonation were previously a hallmark of North Korean hackers, but cybercriminals across the world now deploy the same tactic (see: North Korean Hackers Spreading Malware Via Fake Interviews).
