{"id":278,"date":"2026-03-21T20:15:20","date_gmt":"2026-03-21T20:15:20","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/21\/romcom-and-others-exploiting-zero-day-vulnerability\/"},"modified":"2026-03-21T20:15:20","modified_gmt":"2026-03-21T20:15:20","slug":"romcom-and-others-exploiting-zero-day-vulnerability","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/21\/romcom-and-others-exploiting-zero-day-vulnerability\/","title":{"rendered":"RomCom and others exploiting zero-day vulnerability"},"content":{"rendered":"<div>\n<p>ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild. Previous examples include the abuse of <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36884\" target=\"_blank\" rel=\"noopener\">CVE-2023-36884<\/a> via Microsoft Word in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/11\/storm-0978-attacks-reveal-financial-and-espionage-motives\/\" target=\"_blank\" rel=\"noopener\">June 2023<\/a>, and the combined vulnerabilities assigned <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-9680\" target=\"_blank\" rel=\"noopener\">CVE\u20112024\u20119680<\/a> chained with another previously unknown vulnerability in Windows, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-49039\" target=\"_blank\" rel=\"noopener\">CVE\u20112024\u201149039<\/a>, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, leading to arbitrary code execution in the context of the logged-in user in October 2024.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>If you use WinRAR or other affected components such as the Windows versions of its command line utilities, UnRAR.dll, or the portable UnRAR source code, upgrade immediately to the latest version.<\/li>\n<li>On July 18<sup>th<\/sup>, 2025, ESET researchers discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild.<\/li>\n<li>Analysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2025-8088: a path traversal vulnerability, made possible with the use of alternate data streams. After immediate notification, WinRAR released a patched version on July 30<sup>th<\/sup>, 2025.<\/li>\n<li>The vulnerability allows hiding malicious files in an archive, which are silently deployed when extracting.<\/li>\n<li>Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and Mythic agent.<\/li>\n<li>This campaign targeted financial, manufacturing, defense, and logistics companies in Europe and Canada.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>RomCom profile<\/h2>\n<p>RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group\u2019s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations. The backdoor commonly used by the group is capable of executing commands and downloading additional modules to the victim\u2019s machine.<\/p>\n<h2>The discovery of CVE-2025-8088<\/h2>\n<p>On July 18<sup>th<\/sup>, 2025, we observed a malicious DLL named <span style=\"font-family: courier new, courier, monospace;\">msedge.dll<\/span> in a RAR archive containing unusual paths that caught our attention. Upon further analysis, we found that the attackers were exploiting a previously unknown vulnerability affecting <a href=\"https:\/\/www.win-rar.com\/\" target=\"_blank\" rel=\"noopener\">WinRAR<\/a>, including the then-current version, 7.12. On July 24<sup>th<\/sup>, 2025, we contacted the developer of WinRAR, and on the same day, the vulnerability was fixed and WinRAR 7.13 beta 1 published. WinRAR 7.13 was published on July 30<sup>th<\/sup>, 2025. Users of WinRAR are advised to install the latest version as soon as possible to mitigate the risk. Note that software solutions relying on publicly available Windows versions of UnRAR.dll or its corresponding source code are affected as well, especially those that have not updated their dependencies.<\/p>\n<p>The vulnerability, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-8088\" target=\"_blank\" rel=\"noopener\">CVE-2025-8088<\/a>, uses <a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-fscc\/c54dec26-1551-4d3a-a0ea-4fa40f848eb3\" target=\"_blank\" rel=\"noopener\">alternate data streams<\/a> (ADSes) for path traversal. <a target=\"_blank\" name=\"_Hlk205390309\"\/>Note that a similar path traversal vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-6218\" target=\"_blank\" rel=\"noopener\">CVE\u20112025\u20116218<\/a>) affecting WinRAR was <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-25-409\/\" target=\"_blank\" rel=\"noopener\">disclosed<\/a> on June 19<sup>th<\/sup>, 2025, approximately a month earlier.<\/p>\n<p>The attackers specially crafted the archive to apparently contain only one benign file (see Figure 1), while it contains many malicious ADSes (there\u2019s no indication of them from the user\u2019s point of view).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Eli_Rosenfeld_CV2 - Copy (10).rar opened in WinRAR\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-1.png\" alt=\"Figure 1. Eli_Rosenfeld_CV2 - Copy (10).rar opened in WinRAR\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. <\/em><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (10).rar<\/span><em> opened in WinRAR<\/em><\/figcaption><\/figure>\n<p>Once a victim opens this seemingly benign file, WinRAR unpacks it along with all its ADSes. For example, for <span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (10).rar<\/span>, a malicious DLL is deployed into <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span>. Likewise, a malicious LNK file is deployed into the Windows startup directory, thereby achieving persistence via execution on user login.<\/p>\n<p>To ensure higher success, the attackers provided multiple ADSes with increasing depths of parent directory relative path elements (<span style=\"font-family: courier new, courier, monospace;\">..\\\\<\/span>). However, this introduces nonexistent paths that WinRAR visibly warns about. Interestingly, the attackers added ADSes that contain dummy data and are expected to have invalid paths. We suspect that the attackers introduced them so that the victim does not notice the suspicious DLL and LNK paths (see Figure 2). Only when scrolling down in the WinRAR user interface are the suspicious paths revealed, as seen in Figure 3.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Displayed WinRAR errors when unpacking Eli_Rosenfeld_CV2 - Copy (10).rar\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-2.png\" alt=\"Figure 2. Displayed WinRAR errors when unpacking Eli_Rosenfeld_CV2 - Copy (10).rar\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Displayed WinRAR errors when unpacking <\/em><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (10)<em>.rar<\/em><\/span><\/figcaption><\/figure>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Displayed WinRAR errors when unpacking Eli_Rosenfeld_CV2 - Copy (10).rar; scrolled down and highlighted\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-3-1.png\" alt=\"Figure 3. Displayed WinRAR errors when unpacking Eli_Rosenfeld_CV2 - Copy (10).rar; scr\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Displayed WinRAR errors when unpacking <\/em><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (10).rar<\/span><em>; scrolled down and highlighted<\/em><\/figcaption><\/figure>\n<h2>Compromise chain<\/h2>\n<p>According to ESET telemetry, such archives were used in spearphishing campaigns from the 18<sup>th<\/sup> to 21<sup>st<\/sup> July, 2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. Table\u00a01 contains the spearphishing emails \u2013 sender, subject, and filename of the attachment \u2013 used in the campaigns, and Figure 4 shows the message we observed in an email. In all cases, the attackers sent a CV hoping that a curious target would open it. According to ESET telemetry, none of the targets were compromised.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a01. Spearphishing emails observed in ESET telemetry<\/em><\/p>\n<table border=\"1\" width=\"633\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"217\"><strong>Sender<\/strong><\/td>\n<td width=\"132\"><strong>Subject<\/strong><\/td>\n<td width=\"283\"><strong>Attachment<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"4\" width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Simona &lt;2constheatcomshirl@seznam[.]cz&gt;<\/span><\/td>\n<td rowspan=\"4\" width=\"132\">Experienced Web3 Developer \u0432\u0402\u201c CV Attached for Consideration<\/td>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (100) &#8211; Copy &#8211; Copy &#8211; Copy &#8211; Copy &#8211; Copy &#8211; Copy.rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (100) &#8211; Copy &#8211; Copy &#8211; Copy &#8211; Copy &#8211; Copy.rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (100) &#8211; Copy &#8211; Copy &#8211; Copy &#8211; Copy.rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; Copy (10).rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Marshall Rico <geoshilovyf\/><\/span><\/td>\n<td rowspan=\"5\" width=\"132\">Motivated Applicant &#8211; Resume Enclosed<\/td>\n<td rowspan=\"5\" width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">cv_submission.rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Simona &lt;93leocarperpiyd@seznam[.]cz&gt;<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Simona &lt;93geoprobmenfuuu@seznam[.]cz&gt;<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Simona &lt;2constheatcomshirl@seznam[.]cz&gt;<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Simona &lt;3tiafratferpate@seznam[.]cz&gt;<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Russell Martin <sampnestpihydbi\/><\/span><\/td>\n<td width=\"132\">Job Application<\/td>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">Datos adjuntos sin t\u00edtulo 00170.dat<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Pepita Cordero <stefanmuribi\/><\/span><\/td>\n<td width=\"132\">Application for Job Openings &#8211; Pepita Cordero<\/td>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">JobDocs_July2025.rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Sacchetti Jami <patricklofiri\/><\/span><\/td>\n<td width=\"132\">Application for Job Openings &#8211; Sacchetti Jami<\/td>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">Recruitment_Dossier_July_2025.rar<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"217\"><span style=\"font-family: courier new, courier, monospace;\">Jennifer Hunt <emponafinpu\/><\/span><\/td>\n<td width=\"132\">Applying for the Role<\/td>\n<td width=\"283\"><span style=\"font-family: courier new, courier, monospace;\">cv_submission.rar<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. Observed email message\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-4.png\" alt=\"Figure 4. Observed email message\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. Observed email message<\/em><\/figcaption><\/figure>\n<p>These RAR files always contain two malicious files: a LNK file, unpacked to the Windows startup directory, and a DLL or EXE, unpacked to either <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> or <span style=\"font-family: courier new, courier, monospace;\">%LOCALAPPDATA%<\/span>. Some of the archives share the same malware. We have identified three execution chains.<\/p>\n<h3>Mythic agent execution chain<\/h3>\n<p>In the first execution chain, depicted in Figure 5, the malicious LNK file <span style=\"font-family: courier new, courier, monospace;\">Updater.lnk<\/span> adds the registry value <span style=\"font-family: courier new, courier, monospace;\">HKCU\\SOFTWARE\\Classes\\CLSID\\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\\InprocServer32<\/span> and sets it to <span style=\"font-family: courier new, courier, monospace;\">%TEMP%\\msedge.dll<\/span>. This is used to trigger execution of that DLL via <a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1546\/015\/\" target=\"_blank\" rel=\"noopener\">COM hijacking<\/a>. Specifically, the CLSID corresponds to the <a href=\"https:\/\/strontic.github.io\/xcyclopedia\/library\/clsid_1299CF18-C4F5-4B6A-BB0F-2299F0398E27.html\" target=\"_blank\" rel=\"noopener\">PSFactoryBuffer<\/a> object present in <span style=\"font-family: courier new, courier, monospace;\">npmproxy.dll<\/span>. As a result, any executable trying to load it (e.g., Microsoft Edge) will trigger code execution of the malicious DLL. This DLL is responsible for decrypting embedded shellcode via AES and subsequently executing it. Interestingly, it retrieves the domain name for the current machine, which typically contains the company name, and compares it with a hardcoded value, exiting if the two values do not match. This means that the attackers had conducted reconnaissance beforehand, confirming that this email was highly targeted.<\/p>\n<p>The loaded shellcode appears to be a <a href=\"https:\/\/github.com\/MythicC2Profiles\/dynamichttp\" target=\"_blank\" rel=\"noopener\">dynamichttp<\/a> C2 profile for the <a href=\"https:\/\/docs.mythic-c2.net\/\" target=\"_blank\" rel=\"noopener\">Mythic agent<\/a> having the following C&amp;C server: <span style=\"font-family: courier new, courier, monospace;\">https:\/\/srlaptop[.]com\/s\/0.7.8\/clarity.js<\/span>.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Mythic agent execution chain\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-5.png\" alt=\"Figure 5. Mythic agent execution chain\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Mythic agent execution chain<\/em><\/figcaption><\/figure>\n<p>It comes with a standard <a href=\"https:\/\/docs.mythic-c2.net\/operational-pieces\/c2-profiles\/dynamichttp\" target=\"_blank\" rel=\"noopener\">configuration for the dynamichttp C2 profile<\/a> and a custom one, which is displayed in Figure 6. Just like in the previous stage, this configuration contains a hardcoded domain name of the target.<\/p>\n<pre style=\"background-color: #f5f5f5; border: 1px solid #ddd; padding: 10px; line-height: 1.25; margin: 0;\"><code style=\"white-space: pre-wrap; font-family: 'Courier New', Courier, monospace;\">{'disable_etw': '2', 'block_non_ms_dlls': '3', 'child_process': 'wmic.exe', 'use_winhttp': 1, 'inject_method': '1', 'dll_side': ['MsEdge', 'OneDrive'], 'domain': '[REDACTED]'}<\/code><\/pre>\n<p><em>Figure 6. Custom configuration in the Mythic execution chain<\/em><\/p>\n<h3>SnipBot variant execution chain<\/h3>\n<p>In the second execution chain, which is depicted in Figure 7, the malicious LNK file Display Settings.lnk runs <span style=\"font-family: courier new, courier, monospace;\">%LOCALAPPDATA%\\ApbxHelper.exe<\/span>. It is a modified version of <a href=\"https:\/\/github.com\/NoMoreFood\/putty-cac\" target=\"_blank\" rel=\"noopener\">PuTTY CAC<\/a>, which is a fork of PuTTY, and is signed with an invalid code-signing certificate. The extra code uses the filename as a key for decrypting strings and the next stage, which is shellcode. The shellcode appears to be a variant of SnipBot, malware <a href=\"https:\/\/unit42.paloaltonetworks.com\/snipbot-romcom-malware-variant\/\" target=\"_blank\" rel=\"noopener\">attributed to RomCom<\/a> by UNIT 42. Execution of the shellcode only proceeds if a specific registry value (<span style=\"font-family: courier new, courier, monospace;\">68<\/span> for this sample) is present in the <span style=\"font-family: courier new, courier, monospace;\">HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\<\/span> registry key (in other words, if at least 69 documents were recently opened); this is an anti-analysis technique to prevent execution in an empty virtual machine or sandbox. If at least 69 documents were recently opened, next-stage shellcode is decrypted using the registry key name (e.g., <span style=\"font-family: courier new, courier, monospace;\">68<\/span>, but converted from string to integer), and executed, downloading yet another stage from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/campanole[.]com\/TOfrPOseJKZ<\/span>.<\/p>\n<p>We also found an identical <span style=\"font-family: courier new, courier, monospace;\">ApbxHelper.exe<\/span> within <span style=\"font-family: courier new, courier, monospace;\">Adverse_Effect_Medical_Records_2025.rar<\/span>, uploaded to <a href=\"https:\/\/www.virustotal.com\/gui\/file\/2a8fafa01f6d3863c87f20905736ebab28d6a5753ab708760c0b6cf3970828c3\" target=\"_blank\" rel=\"noopener\">VirusTotal<\/a> from Germany. This archive also exploits the CVE-2025-8088 vulnerability.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. SnipBot variant execution chain\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-7.png\" alt=\"Figure 7. SnipBot variant execution chain\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. SnipBot variant execution chain<\/em><\/figcaption><\/figure>\n<h3>MeltingClaw execution chain<\/h3>\n<p>In the third execution case, which is depicted in Figure 8, the malicious LNK file <span style=\"font-family: courier new, courier, monospace;\">Settings.lnk<\/span> runs <span style=\"font-family: courier new, courier, monospace;\">%LOCALAPPDATA%\\Complaint.exe<\/span>, which is RustyClaw \u2013 a downloader written in Rust previously analyzed by <a href=\"https:\/\/blog.talosintelligence.com\/uat-5647-romcom\/\" target=\"_blank\" rel=\"noopener\">Talos<\/a>. This sample is signed with an invalid code-signing certificate, which is different from the code-signing certificate used in the SnipBot variant. RustyClaw downloads and executes another payload, from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/melamorri[.]com\/iEZGPctehTZ<\/span>. This payload (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">01D32FE88ECDEA2B934A00805E138034BF85BF83<\/span>), with internal name <span style=\"font-family: courier new, courier, monospace;\">install_module_x64.dll<\/span>, partially matches the analysis of MeltingClaw by <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/10-things-i-hate-about-attribution-romcom-vs-transferloader\" target=\"_blank\" rel=\"noopener\">Proofpoint<\/a>, a different downloader attributed to RomCom. The C&amp;C server of the MeltingClaw sample that we observed is <span style=\"font-family: courier new, courier, monospace;\">https:\/\/gohazeldale[.]com<\/span>.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. MeltingClaw execution chain\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/winrar\/figure-8.png\" alt=\"Figure 8. MeltingClaw execution chain\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. MeltingClaw execution chain<\/em><\/figcaption><\/figure>\n<h3>Attribution<\/h3>\n<p>We attribute the observed activities to RomCom with high confidence based on the targeted region, TTPs, and malware used.<\/p>\n<p>This is not the first time that RomCom has used exploits to compromise its victims. In June 2023, the group performed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to the Ukrainian World Congress. The Microsoft Word document attached to the email attempted to exploit the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36884\" target=\"_blank\" rel=\"noopener\">CVE\u20112023\u201136884<\/a> vulnerability, as documented by the <a href=\"https:\/\/blogs.blackberry.com\/en\/2023\/07\/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\" target=\"_blank\" rel=\"noopener\">BlackBerry Threat Research and Intelligence team<\/a>.<\/p>\n<p>On October 8<sup>th<\/sup>, 2024, the group exploited a then-unknown vulnerability in the Firefox browser. The exploit targeted a use-after-free vulnerability in Firefox Animation timelines, allowing an attacker to achieve code execution in a content process, with the objective of delivering the RomCom backdoor. The vulnerability identifier <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-9680\" target=\"_blank\" rel=\"noopener\">CVE\u20112024\u20119680<\/a> was assigned, as documented in our WeLiveSecurity blogpost.<\/p>\n<h3>Other activities<\/h3>\n<p>We are aware that this vulnerability has also been exploited by another threat actor, and was independently discovered by the Russian cybersecurity company <a href=\"https:\/\/bi.zone\/expertise\/blog\/paper-werewolf-atakuet-rossiyu-s-ispolzovaniem-uyazvimosti-nulevogo-dnya-v-winrar\/\" target=\"_blank\" rel=\"noopener\">BI.ZONE<\/a>. Notably, this second threat actor began exploiting CVE\u20112025\u20118088 a few days after RomCom started doing so.<\/p>\n<h2>Conclusion<\/h2>\n<p>By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations. This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks. The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation.<\/p>\n<p>We would like to thank the WinRAR team for its cooperation and quick response, and recognize its effort in releasing a patch within just one day.<\/p>\n<p>Thanks to Peter Ko\u0161in\u00e1r for his assistance in the analysis.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/romcom\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"151\"><strong>Filename<\/strong><\/td>\n<td width=\"170\"><strong>Detection<\/strong><\/td>\n<td width=\"162\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">371A5B8BA86FBCAB80D4<wbr\/>E0087D2AA0D8FFDDC70B<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">Adverse_Effect_Medi<wbr\/>cal_Records_2025.rar<\/span><\/td>\n<td width=\"170\">\n<p>LNK\/Agent.AJN<\/p>\n<p>Win64\/Agent.GPM<\/p>\n<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088; found on VirusTotal.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">D43F49E6A586658B5422<wbr\/>EDC647075FFD405D6741<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">cv_submission.rar<\/span><\/td>\n<td width=\"170\">\n<p>LNK\/Agent.AJN July<\/p>\n<p>Win64\/Agent.GPM<\/p>\n<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">F77DBA76010A9988C9CE<wbr\/>B8E420C96AEBC071B889<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">Eli_Rosenfeld_CV2 &#8211; <wbr\/>Copy (10).rar<\/span><\/td>\n<td width=\"170\">Win64\/Agent.GMQ<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">676086860055F6591FED<wbr\/>303B4799C725F8466CF4<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">Datos adjuntos sin<wbr\/> t\u00edtulo 00170.dat<\/span><\/td>\n<td width=\"170\">\n<p>LNK\/Agent.AJN<\/p>\n<p>Win64\/Agent.GPM<\/p>\n<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">1F25E062E8E9A4F1792C<wbr\/>3EAC6462694410F0F1CA<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">JobDocs_July2025.rar<\/span><\/td>\n<td width=\"170\">\n<p>LNK\/Agent.AJN<\/p>\n<p>Win64\/TrojanDownlo<wbr\/>ader.Agent.BZV<\/p>\n<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C340625C779911165E39<wbr\/>83C77FD60855A2575275<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">cv_submission.rar<\/span><\/td>\n<td width=\"170\">\n<p>LNK\/Agent.AJN<\/p>\n<p>Win64\/Agent.GPM<\/p>\n<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C94A6BD6EC88385E4E83<wbr\/>1B208FED2FA6FAED6666<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">Recruitment_Dossier<wbr\/>_July_2025.rar<\/span><\/td>\n<td width=\"170\">\n<p>LNK\/Agent.AJN<\/p>\n<p>Win64\/TrojanDownlo<wbr\/>ader.Agent.BZV<\/p>\n<\/td>\n<td width=\"162\">Archive exploiting CVE\u20112025\u20118088.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">01D32FE88ECDEA2B934A<wbr\/>00805E138034BF85BF83<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">install_module_x64<wbr\/>.dll<\/span><\/td>\n<td width=\"170\">Win64\/Agent.GNV<\/td>\n<td width=\"162\">MeltingClaw<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">AE687BEF963CB30A3788<wbr\/>E34CC18046F54C41FFBA<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">msedge.dll<\/span><\/td>\n<td width=\"170\">Win64\/Agent.GMQ<\/td>\n<td width=\"162\">Mythic agent used by RomCom<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">AB79081D0E26EA278D3D<wbr\/>45DA247335A545D0512E<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">Complaint.exe<\/span><\/td>\n<td width=\"170\">Win64\/TrojanDownlo<wbr\/>ader.Agent.BZV<\/td>\n<td width=\"162\">RustyClaw<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">1AEA26A2E2A7711F89D0<wbr\/>6165E676E11769E2FD68<\/span><\/td>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">ApbxHelper.exe<\/span><\/td>\n<td width=\"170\">Win64\/Agent.GPM<\/td>\n<td width=\"162\">SnipBot variant<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"151\"><strong>IP<\/strong><\/td>\n<td width=\"142\"><strong>Domain<\/strong><\/td>\n<td width=\"113\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"85\"><strong>First seen<\/strong><\/td>\n<td width=\"151\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">162.19.175[.]44<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">gohazeldale<wbr\/>[.]com<\/span><\/td>\n<td width=\"113\">OVH SAS<\/td>\n<td width=\"85\">2025\u201106\u201105<\/td>\n<td width=\"151\">MeltingClaw C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">194.36.209[.]127<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">srlaptop[.]com<\/span><\/td>\n<td width=\"113\">CGI GLOBAL LIMITED<\/td>\n<td width=\"85\">2025\u201107\u201109<\/td>\n<td width=\"151\">C&amp;C server of the Mythic agent used by RomCom.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">85.158.108[.]62<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">melamorri[.]com<\/span><\/td>\n<td width=\"113\">HZ\u2011HOSTING\u2011LTD<\/td>\n<td width=\"85\">2025\u201107\u201107<\/td>\n<td width=\"151\">RustyClaw C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">185.173.235[.]134<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">campanole[.]com<\/span><\/td>\n<td width=\"113\">FiberXpress BV<\/td>\n<td width=\"85\">2025\u201107\u201118<\/td>\n<td width=\"151\">C&amp;C server of the SnipBot variant.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\" target=\"_blank\" rel=\"noopener\">version 17<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"6\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\" target=\"_blank\" rel=\"noopener\">T1583<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure<\/td>\n<td width=\"265\">RomCom sets up VPSes and buys domain names.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/001\" target=\"_blank\" rel=\"noopener\">T1587.001<\/a><\/td>\n<td width=\"151\">Develop Capabilities: Malware<\/td>\n<td width=\"265\">RomCom develops malware in multiple programming languages.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/004\" target=\"_blank\" rel=\"noopener\">T1587.004<\/a><\/td>\n<td width=\"151\">Develop Capabilities: Exploits<\/td>\n<td width=\"265\">RomCom may develop exploits used for initial compromise.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1588\/005\" target=\"_blank\" rel=\"noopener\">T1588.005<\/a><\/td>\n<td width=\"151\">Obtain Capabilities: Exploits<\/td>\n<td width=\"265\">RomCom may acquire exploits used for initial compromise.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1588\/006\" target=\"_blank\" rel=\"noopener\">T1588.006<\/a><\/td>\n<td width=\"151\">Obtain Capabilities: Vulnerabilities<\/td>\n<td width=\"265\">RomCom may obtain information about vulnerabilities that it uses for targeting victims.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1608\" target=\"_blank\" rel=\"noopener\">T1608<\/a><\/td>\n<td width=\"151\">Stage Capabilities<\/td>\n<td width=\"265\">RomCom stages malware on multiple delivery servers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1566\/001\" target=\"_blank\" rel=\"noopener\">T1566.001<\/a><\/td>\n<td width=\"151\">Phishing: Spearphishing Attachment<\/td>\n<td width=\"265\">RomCom compromises victims with a malicious RAR attachment sent via spearphishing.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1204\/002\" target=\"_blank\" rel=\"noopener\">T1204.002<\/a><\/td>\n<td width=\"151\">User Execution: Malicious File<\/td>\n<td width=\"265\">RomCom lures victims into opening a weaponized RAR archive containing an exploit.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1547\/001\" target=\"_blank\" rel=\"noopener\">T1547.001<\/a><\/td>\n<td width=\"151\">Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>\n<td width=\"265\">For persistence, RomCom stores a LNK file in the Startup folder.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1546\/015\" target=\"_blank\" rel=\"noopener\">T1546.015<\/a><\/td>\n<td width=\"151\">Event Triggered Execution: Component Object Model Hijacking<\/td>\n<td width=\"265\">RomCom hijacks CLSIDs for persistence.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1497\" target=\"_blank\" rel=\"noopener\">T1497<\/a><\/td>\n<td width=\"151\">Virtualization\/Sandbox Evasion<\/td>\n<td width=\"265\">RomCom detects virtual environments by checking for enough RecentDocs.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1480\" target=\"_blank\" rel=\"noopener\">T1480<\/a><\/td>\n<td width=\"151\">Execution Guardrails<\/td>\n<td width=\"265\">RomCom stops execution if running in a virtual environment. It also checks for a hardcoded domain name before executing.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1036\/001\" target=\"_blank\" rel=\"noopener\">T1036.001<\/a><\/td>\n<td width=\"151\">Masquerading: Invalid Code Signature<\/td>\n<td width=\"265\">RomCom tries to appear more legitimate to users and security tools that improperly handle digital signatures.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/007\" target=\"_blank\" rel=\"noopener\">T1027.007<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information: Dynamic API Resolution<\/td>\n<td width=\"265\">RomCom decrypts and resolves API dynamically.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/013\" target=\"_blank\" rel=\"noopener\">T1027.013<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information: Encrypted\/Encoded File<\/td>\n<td width=\"265\">RomCom decrypts shellcode based on filename and machine artifacts.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Credential Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1555\/003\" target=\"_blank\" rel=\"noopener\">T1555.003<\/a><\/td>\n<td width=\"151\">Credentials from Password Stores: Credentials from Web Browsers<\/td>\n<td width=\"265\">The RomCom backdoor collects passwords, cookies, and sessions using a browser stealer module.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1552\/001\" target=\"_blank\" rel=\"noopener\">T1552.001<\/a><\/td>\n<td width=\"151\">Unsecured Credentials: Credentials In Files<\/td>\n<td width=\"265\">The RomCom backdoor collects passwords using a file reconnaissance module.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1087\" target=\"_blank\" rel=\"noopener\">T1087<\/a><\/td>\n<td width=\"151\">Account Discovery<\/td>\n<td width=\"265\">The RomCom backdoor collects username, computer, and domain data.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1518\" target=\"_blank\" rel=\"noopener\">T1518<\/a><\/td>\n<td width=\"151\">Software Discovery<\/td>\n<td width=\"265\">The RomCom backdoor collects information about installed software and versions.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Lateral Movement<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1021\" target=\"_blank\" rel=\"noopener\">T1021<\/a><\/td>\n<td width=\"151\">Remote Services<\/td>\n<td width=\"265\">The RomCom backdoor creates SSH tunnels to move laterally within compromised networks.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\"><strong>Collection<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1560\" target=\"_blank\" rel=\"noopener\">T1560<\/a><\/td>\n<td width=\"151\">Archive Collected Data<\/td>\n<td width=\"265\">The RomCom backdoor stores data in a ZIP archive for exfiltration.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1185\" target=\"_blank\" rel=\"noopener\">T1185<\/a><\/td>\n<td width=\"151\">Man in the Browser<\/td>\n<td width=\"265\">The RomCom backdoor steals browser cookies, history, and saved passwords.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1005\" target=\"_blank\" rel=\"noopener\">T1005<\/a><\/td>\n<td width=\"151\">Data from Local System<\/td>\n<td width=\"265\">The RomCom backdoor collects specific file types based on file extensions.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1114\/001\" target=\"_blank\" rel=\"noopener\">T1114.001<\/a><\/td>\n<td width=\"151\">Email Collection: Local Email Collection<\/td>\n<td width=\"265\">The RomCom backdoor collects files with <span style=\"font-family: courier new, courier, monospace;\">.msg<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.eml<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">.email<\/span> extensions.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1113\" target=\"_blank\" rel=\"noopener\">T1113<\/a><\/td>\n<td width=\"151\">Screen Capture<\/td>\n<td width=\"265\">The RomCom backdoor takes screenshots of the victim\u2019s computer.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1071\/001\" target=\"_blank\" rel=\"noopener\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">The RomCom backdoor uses HTTP or HTTPS as a C&amp;C protocol.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1573\/002\" target=\"_blank\" rel=\"noopener\">T1573.002<\/a><\/td>\n<td width=\"151\">Encrypted Channel: Asymmetric Cryptography<\/td>\n<td width=\"265\">The RomCom backdoor encrypts communication using SSL certificates.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1041\" target=\"_blank\" rel=\"noopener\">T1041<\/a><\/td>\n<td width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td width=\"265\">The RomCom backdoor exfiltrates data using the HTTPS C&amp;C channel.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Impact<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1657\" target=\"_blank\" rel=\"noopener\">T1657<\/a><\/td>\n<td width=\"151\">Financial Theft<\/td>\n<td width=\"265\">RomCom compromises companies for financial interest.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group<\/p>\n","protected":false},"author":1,"featured_media":279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=278"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/278\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/279"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}