I Opened a Resume and Got Hacked: The WinRAR Zero-Day Explained

By a Cybersecurity Incident Responder who analyzed the RomCom campaign.

CRISIS OPENING: It started with an email. An HR manager at a European logistics company received a promising resume from a “job applicant.” The resume was in a .RAR archive—a common way to send files. They extracted it, and for a moment, nothing happened. But behind the scenes, a sophisticated zero-day exploit (CVE-2025-8088) had just given hackers a backdoor into their entire corporate network.malwarebytes+1​

This wasn’t an isolated incident. Between July and October 2025, a Russia-aligned hacking group known as RomCom used this exact method to target over 700 financial, manufacturing, and defense companies across Europe and Canada. By exploiting a previously unknown flaw in WinRAR, one of the world’s most popular file compression tools, they turned simple job applications into powerful cyberweapons.welivesecurity+1​

If you or your company uses WinRAR, this is the urgent story of how a single click can lead to a complete network compromise—and what you must do to protect yourself.

The “Resume” Attack – How It Happened

The attack was brilliantly simple and deviously effective. Security researchers at ESET first observed the campaign on July 18, 2025, and quickly unraveled the hackers’ methods.thehackernews+1​

Here’s the step-by-step breakdown of the attack:

1. The Phishing Email: The RomCom group sent highly targeted spear-phishing emails to employees, often in HR or management roles. The emails were designed to look like legitimate job applications, complete with a convincing cover letter and a “resume” attached as a RAR file.infosecurity-magazine+1​
2. The Malicious Archive: The attached .RAR file was specially crafted to exploit CVE-2025-8088, a “path traversal” vulnerability in WinRAR.
3. The Extraction: When the victim extracted the “resume,” they saw a harmless-looking document. But hidden within the archive, the exploit was silently at work.
4. The Path Traversal: The vulnerability allowed the hackers to write files outside of the intended extraction folder. Instead of just placing the resume on the desktop, the exploit secretly dropped a malicious DLL file into a sensitive system directory, like the Windows Startup folder.quorumcyber+1​
5. Persistence and Payload: Placing the file in the Startup folder ensured the malware would automatically run every time the computer was restarted. This initial payload was often a downloader like “RustyClaw” or “SnipBot,” which would then connect to a command-and-control server to download more advanced backdoors and spyware.welivesecurity+1​

What is a Path Traversal Vulnerability?

Imagine you tell a delivery driver to leave a package on your front porch. A path traversal flaw is like a loophole in the instructions that allows the driver to ignore your porch and instead place the package directly inside your bedroom.

In the digital world, WinRAR was supposed to place all extracted files in the folder you chose. But CVE-2025-8088 allowed hackers to craft an archive that told WinRAR, “Ignore the user’s chosen folder and put this other malicious file in the system’s Startup folder instead.” This gave them a permanent foothold on the victim’s machine.

Technical Deep Dive – CVE-2025-8088 Explained

The vulnerability, CVE-2025-8088, is a flaw in how WinRAR handles file paths, particularly when dealing with “alternate data streams” (ADS) in specially crafted ZIP or RAR archives.nvd.nist+1​

• What it affects: The Windows version of WinRAR (versions before 7.13), as well as its command-line utilities and UnRAR.dll library.
• The Flaw: By manipulating how file paths are processed during extraction, an attacker could trick WinRAR into writing a file to an arbitrary location on the file system.
• The CVSS Score: The vulnerability has a severity score of 8.8 out of 10, marking it as “High” severity.bitdefender+1​
• The Patch: The WinRAR developers were notified and released a patch in WinRAR version 7.13 on July 30, 2025.bitdefender+1​

The RomCom group’s use of this zero-day marks their evolution into a highly sophisticated threat actor. This is the third time they have been caught using a zero-day exploit, demonstrating their resources and determination. They are no longer just an espionage group; their tactics now blur the line with ransomware gangs, focusing on high-value corporate targets.picussecurity+1​

Am I at Risk? How to Check and Protect Yourself

If you use WinRAR on a Windows computer, you could be at risk. This is not a theoretical threat; it has been actively and widely exploited.

How to Check Your WinRAR Version:

1. Open the WinRAR application.
2. Click on Help in the top menu bar.
3. Select About WinRAR…
4. A window will pop up displaying the version number.

If your version is anything below 7.13, you are VULNERABLE.

How to Update and Protect Yourself:

1. Update Immediately: Go to the official WinRAR website (win-rar.com) and download the latest version (7.13 or newer). This is the single most important step.
2. Be Skeptical of Archives: Treat all email attachments, especially compressed files like .zip and .rar, with extreme caution. If you aren’t expecting a file from someone, don’t open it.
3. Use an Alternative: Consider using Windows’ built-in file extractor or 7-Zip, which were not affected by this specific vulnerability.
4. Educate Your Team: If you are in a business environment, ensure your entire team is aware of this “resume scam” tactic. Phishing awareness is a critical layer of defense.

This attack highlights the danger of seemingly innocent files. For more on how to identify malicious attachments, see our guide on How to Spot a Phishing Email.

The Bigger Picture – The Enduring Threat of Software Vulnerabilities

The WinRAR exploit is a stark reminder that even the most trusted and widely used software can have critical flaws. While this specific vulnerability has been patched, the tactics used by groups like RomCom will continue to evolve.

• The Rise of RaaS: The Ransomware-as-a-Service model means that sophisticated exploits like this are no longer limited to elite state-sponsored groups. They are often sold or rented on dark web forums, making them accessible to a wider range of criminals.
• The Importance of Patching: This incident, along with the recent string of Chrome zero-days, proves that timely patch management is non-negotiable for modern cybersecurity. Learn more in our guide on How to Fix Unpatched Vulnerabilities.
• The Human Element: Technology alone is not enough. The WinRAR attack began with a social engineering trick—a fake resume. This reinforces the need for a strong “human firewall” through continuous security awareness training.

Ultimately, staying safe in 2025 requires a multi-layered defense. Keep your software updated, be vigilant about what you click and download, and have a clear Incident Response Plan in case the worst happens. This attack may have started with a simple resume, but its consequences can be devastating. Don’t let your company be the next victim.

SOURCES

1. https://www.malwarebytes.com/blog/news/2025/08/winrar-vulnerability-exploited-by-two-different-groups
2. https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
3. https://thehackernews.com/2025/08/winrar-zero-day-under-active.html
4. https://www.bitdefender.com/en-us/blog/hotforsecurity/winrar-zero-day-exploit-actively-targeted-in-ongoing-attacks
5. https://www.infosecurity-magazine.com/news/winrar-zero-day-exploited-romcom/
6. https://nvd.nist.gov/vuln/detail/CVE-2025-8088
7. https://www.quorumcyber.com/threat-intelligence/active-exploitation-of-winrar-path-traversal-zero%E2%80%91day/
8. https://socradar.io/cve-2025-8088-winrar-zero-day-exploited-targeted/
9. https://www.picussecurity.com/resource/blog/romcom-threat-actor-evolution
10. https://www.linkedin.com/pulse/winrar-zero-day-used-targeted-phishing-campaigns-connectwise-qm6bc