{ "id": "12908761-3317-47c5-9bb1-60b561ade1aa", "created_at": "2026-04-06T00:18:15.650564Z", "updated_at": "2026-04-10T13:11:45.431022Z", "deleted_at": null, "sha1_hash": "7a1ea30380521aeac4a7fee1a19be78e5e75875a", "title": "Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 609510, "plain_text": "Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability\r\nBy Anton CherepanovPeter StrýčekDamien Schaeffer\r\nArchived: 2026-04-05 19:54:29 UTC\r\nESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by\r\nRussia-aligned group RomCom. This is at least the third time that RomCom has been caught exploiting a\r\nsignificant zero-day vulnerability in the wild. Previous examples include the abuse of CVE-2023-36884 via\r\nMicrosoft Word in June 2023, and the combined vulnerabilities assigned CVE‑2024‑9680 chained with another\r\npreviously unknown vulnerability in Windows, CVE‑2024‑49039, targeting vulnerable versions of Firefox,\r\nThunderbird, and the Tor Browser, leading to arbitrary code execution in the context of the logged-in user in\r\nOctober 2024.\r\nKey points of this blogpost:\r\nIf you use WinRAR or other affected components such as the Windows versions of its command\r\nline utilities, UnRAR.dll, or the portable UnRAR source code, upgrade immediately to the latest\r\nversion.\r\nOn July 18th, 2025, ESET researchers discovered a previously unknown zero-day vulnerability\r\nin WinRAR being exploited in the wild.\r\nAnalysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2025-8088: a\r\npath traversal vulnerability, made possible with the use of alternate data streams. After\r\nimmediate notification, WinRAR released a patched version on July 30th, 2025.\r\nThe vulnerability allows hiding malicious files in an archive, which are silently deployed when\r\nextracting.\r\nSuccessful exploitation attempts delivered various backdoors used by the RomCom group,\r\nspecifically a SnipBot variant, RustyClaw, and Mythic agent.\r\nThis campaign targeted financial, manufacturing, defense, and logistics companies in Europe\r\nand Canada.\r\nRomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts\r\nboth opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s\r\nfocus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional\r\ncybercrime operations. The backdoor commonly used by the group is capable of executing commands and\r\ndownloading additional modules to the victim’s machine.\r\nThe discovery of CVE-2025-8088\r\nOn July 18th, 2025, we observed a malicious DLL named msedge.dll in a RAR archive containing unusual paths\r\nthat caught our attention. Upon further analysis, we found that the attackers were exploiting a previously unknown\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 1 of 13\n\nvulnerability affecting WinRAR, including the then-current version, 7.12. On July 24th\r\n, 2025, we contacted the\r\ndeveloper of WinRAR, and on the same day, the vulnerability was fixed and WinRAR 7.13 beta 1 published.\r\nWinRAR 7.13 was published on July 30th, 2025. Users of WinRAR are advised to install the latest version as soon\r\nas possible to mitigate the risk. Note that software solutions relying on publicly available Windows versions of\r\nUnRAR.dll or its corresponding source code are affected as well, especially those that have not updated their\r\ndependencies.\r\nThe vulnerability, tracked as CVE-2025-8088, uses alternate data streams (ADSes) for path traversal. Note that a\r\nsimilar path traversal vulnerability (CVE‑2025‑6218) affecting WinRAR was disclosed on June 19th, 2025,\r\napproximately a month earlier.\r\nThe attackers specially crafted the archive to apparently contain only one benign file (see Figure 1), while it\r\ncontains many malicious ADSes (there’s no indication of them from the user’s point of view).\r\nFigure 1. Eli_Rosenfeld_CV2 - Copy (10).rar opened in WinRAR\r\nOnce a victim opens this seemingly benign file, WinRAR unpacks it along with all its ADSes. For example, for\r\nEli_Rosenfeld_CV2 - Copy (10).rar, a malicious DLL is deployed into %TEMP%. Likewise, a malicious LNK\r\nfile is deployed into the Windows startup directory, thereby achieving persistence via execution on user login.\r\nTo ensure higher success, the attackers provided multiple ADSes with increasing depths of parent directory\r\nrelative path elements (..\\\\). However, this introduces nonexistent paths that WinRAR visibly warns about.\r\nInterestingly, the attackers added ADSes that contain dummy data and are expected to have invalid paths. We\r\nsuspect that the attackers introduced them so that the victim does not notice the suspicious DLL and LNK paths\r\n(see Figure 2). Only when scrolling down in the WinRAR user interface are the suspicious paths revealed, as seen\r\nin Figure 3.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 2 of 13\n\nFigure 2. Displayed WinRAR errors when unpacking Eli_Rosenfeld_CV2 - Copy (10).rar\r\nFigure 3. Displayed WinRAR errors when unpacking Eli_Rosenfeld_CV2 - Copy (10).rar; scrolled\r\ndown and highlighted\r\nCompromise chain\r\nAccording to ESET telemetry, such archives were used in spearphishing campaigns from the 18th to 21st July,\r\n2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. Table 1 contains\r\nthe spearphishing emails – sender, subject, and filename of the attachment – used in the campaigns, and Figure 4\r\nshows the message we observed in an email. In all cases, the attackers sent a CV hoping that a curious target\r\nwould open it. According to ESET telemetry, none of the targets were compromised.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 3 of 13\n\nTable 1. Spearphishing emails observed in ESET telemetry\r\nSender Subject Attachment\r\nSimona\r\n\u003c2constheatcomshirl@seznam[.]cz\u003e\r\nExperienced Web3\r\nDeveloper – CV\r\nAttached for\r\nConsideration\r\nEli_Rosenfeld_CV2 - Copy (100) - Copy -\r\nCopy - Copy - Copy - Copy - Copy.rar\r\nEli_Rosenfeld_CV2 - Copy (100) - Copy -\r\nCopy - Copy - Copy - Copy.rar\r\nEli_Rosenfeld_CV2 - Copy (100) - Copy -\r\nCopy - Copy - Copy.rar\r\nEli_Rosenfeld_CV2 - Copy (10).rar\r\nMarshall Rico\r\n\u003cgeoshilovyf@gmx[.]com\u003e\r\nMotivated Applicant\r\n- Resume Enclosed\r\ncv_submission.rar\r\nSimona\r\n\u003c93leocarperpiyd@seznam[.]cz\u003e\r\nSimona\r\n\u003c93geoprobmenfuuu@seznam[.]cz\u003e\r\nSimona\r\n\u003c2constheatcomshirl@seznam[.]cz\u003e\r\nSimona\r\n\u003c3tiafratferpate@seznam[.]cz\u003e\r\nRussell Martin\r\n\u003csampnestpihydbi@gmx[.]com\u003e\r\nJob Application Datos adjuntos sin título 00170.dat\r\nPepita Cordero\r\n\u003cstefanmuribi@gmx[.]net\u003e\r\nApplication for Job\r\nOpenings - Pepita\r\nCordero\r\nJobDocs_July2025.rar\r\nSacchetti Jami\r\n\u003cpatricklofiri@gmx[.]net\u003e\r\nApplication for Job\r\nOpenings - Sacchetti\r\nJami\r\nRecruitment_Dossier_July_2025.rar\r\nJennifer Hunt\r\n\u003cemponafinpu@gmx[.]com\u003e\r\nApplying for the\r\nRole\r\ncv_submission.rar\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 4 of 13\n\nFigure 4. Observed email message\r\nThese RAR files always contain two malicious files: a LNK file, unpacked to the Windows startup directory, and a\r\nDLL or EXE, unpacked to either %TEMP% or %LOCALAPPDATA%. Some of the archives share the same\r\nmalware. We have identified three execution chains.\r\nMythic agent execution chain\r\nIn the first execution chain, depicted in Figure 5, the malicious LNK file Updater.lnk adds the registry value\r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\\InprocServer32 and sets it\r\nto %TEMP%\\msedge.dll. This is used to trigger execution of that DLL via COM hijacking. Specifically, the\r\nCLSID corresponds to the PSFactoryBuffer object present in npmproxy.dll. As a result, any executable trying to\r\nload it (e.g., Microsoft Edge) will trigger code execution of the malicious DLL. This DLL is responsible for\r\ndecrypting embedded shellcode via AES and subsequently executing it. Interestingly, it retrieves the domain name\r\nfor the current machine, which typically contains the company name, and compares it with a hardcoded value,\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 5 of 13\n\nexiting if the two values do not match. This means that the attackers had conducted reconnaissance beforehand,\r\nconfirming that this email was highly targeted.\r\nThe loaded shellcode appears to be a dynamichttp C2 profile for the Mythic agent having the following C\u0026C\r\nserver: https://srlaptop[.]com/s/0.7.8/clarity.js.\r\nFigure 5. Mythic agent execution chain\r\nIt comes with a standard configuration for the dynamichttp C2 profile and a custom one, which is displayed in\r\nFigure 6. Just like in the previous stage, this configuration contains a hardcoded domain name of the target.\r\n{'disable_etw': '2', 'block_non_ms_dlls': '3', 'child_process': 'wmic.exe', 'use_winhttp': 1, 'inject_method':\r\nFigure 6. Custom configuration in the Mythic execution chain\r\nSnipBot variant execution chain\r\nIn the second execution chain, which is depicted in Figure 7, the malicious LNK file Display Settings.lnk runs\r\n%LOCALAPPDATA%\\ApbxHelper.exe. It is a modified version of PuTTY CAC, which is a fork of PuTTY, and\r\nis signed with an invalid code-signing certificate. The extra code uses the filename as a key for decrypting strings\r\nand the next stage, which is shellcode. The shellcode appears to be a variant of SnipBot, malware attributed to\r\nRomCom by UNIT 42. Execution of the shellcode only proceeds if a specific registry value (68 for this sample) is\r\npresent in the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\ registry key (in\r\nother words, if at least 69 documents were recently opened); this is an anti-analysis technique to prevent execution\r\nin an empty virtual machine or sandbox. If at least 69 documents were recently opened, next-stage shellcode is\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 6 of 13\n\ndecrypted using the registry key name (e.g., 68, but converted from string to integer), and executed, downloading\r\nyet another stage from https://campanole[.]com/TOfrPOseJKZ.\r\nWe also found an identical ApbxHelper.exe within Adverse_Effect_Medical_Records_2025.rar, uploaded to\r\nVirusTotal from Germany. This archive also exploits the CVE-2025-8088 vulnerability.\r\nFigure 7. SnipBot variant execution chain\r\nMeltingClaw execution chain\r\nIn the third execution case, which is depicted in Figure 8, the malicious LNK file Settings.lnk runs\r\n%LOCALAPPDATA%\\Complaint.exe, which is RustyClaw – a downloader written in Rust previously analyzed\r\nby Talos. This sample is signed with an invalid code-signing certificate, which is different from the code-signing\r\ncertificate used in the SnipBot variant. RustyClaw downloads and executes another payload, from\r\nhttps://melamorri[.]com/iEZGPctehTZ. This payload (SHA-1:\r\n01D32FE88ECDEA2B934A00805E138034BF85BF83), with internal name install_module_x64.dll, partially\r\nmatches the analysis of MeltingClaw by Proofpoint, a different downloader attributed to RomCom. The C\u0026C\r\nserver of the MeltingClaw sample that we observed is https://gohazeldale[.]com.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 7 of 13\n\nFigure 8. MeltingClaw execution chain\r\nAttribution\r\nWe attribute the observed activities to RomCom with high confidence based on the targeted region, TTPs, and\r\nmalware used.\r\nThis is not the first time that RomCom has used exploits to compromise its victims. In June 2023, the group\r\nperformed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to\r\nthe Ukrainian World Congress. The Microsoft Word document attached to the email attempted to exploit the\r\nCVE‑2023‑36884 vulnerability, as documented by the BlackBerry Threat Research and Intelligence team.\r\nOn October 8th, 2024, the group exploited a then-unknown vulnerability in the Firefox browser. The exploit\r\ntargeted a use-after-free vulnerability in Firefox Animation timelines, allowing an attacker to achieve code\r\nexecution in a content process, with the objective of delivering the RomCom backdoor. The vulnerability\r\nidentifier CVE‑2024‑9680 was assigned, as documented in our WeLiveSecurity blogpost.\r\nOther activities\r\nWe are aware that this vulnerability has also been exploited by another threat actor, and was independently\r\ndiscovered by the Russian cybersecurity company BI.ZONE. Notably, this second threat actor began exploiting\r\nCVE‑2025‑8088 a few days after RomCom started doing so.\r\nConclusion\r\nBy exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is\r\nwilling to invest serious effort and resources into its cyberoperations. This is at least the third time RomCom has\r\nused a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for\r\ntargeted attacks. The discovered campaign targeted sectors that align with the typical interests of Russian-aligned\r\nAPT groups, suggesting a geopolitical motivation behind the operation.\r\nWe would like to thank the WinRAR team for its cooperation and quick response, and recognize its effort in\r\nreleasing a patch within just one day.\r\nThanks to Peter Košinár for his assistance in the analysis.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 8 of 13\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n371A5B8BA86FBCAB80D4\r\nE0087D2AA0D8FFDDC70B\r\nAdverse_Effect_Medi\r\ncal_Records_2025.rar\r\nLNK/Agent.AJN\r\nWin64/Agent.GPM\r\nArchive exploiting\r\nCVE‑2025‑8088;\r\nfound on\r\nVirusTotal.\r\nD43F49E6A586658B5422\r\nEDC647075FFD405D6741\r\ncv_submission.rar\r\nLNK/Agent.AJN July\r\nWin64/Agent.GPM\r\nArchive exploiting\r\nCVE‑2025‑8088.\r\nF77DBA76010A9988C9CE\r\nB8E420C96AEBC071B889\r\nEli_Rosenfeld_CV2 -\r\nCopy (10).rar\r\nWin64/Agent.GMQ\r\nArchive exploiting\r\nCVE‑2025‑8088.\r\n676086860055F6591FED\r\n303B4799C725F8466CF4\r\nDatos adjuntos sin\r\ntítulo 00170.dat\r\nLNK/Agent.AJN\r\nWin64/Agent.GPM\r\nArchive exploiting\r\nCVE‑2025‑8088.\r\n1F25E062E8E9A4F1792C\r\n3EAC6462694410F0F1CA\r\nJobDocs_July2025.rar\r\nLNK/Agent.AJN\r\nWin64/TrojanDownlo\r\nader.Agent.BZV\r\nArchive exploiting\r\nCVE‑2025‑8088.\r\nC340625C779911165E39\r\n83C77FD60855A2575275\r\ncv_submission.rar\r\nLNK/Agent.AJN\r\nWin64/Agent.GPM\r\nArchive exploiting\r\nCVE‑2025‑8088.\r\nC94A6BD6EC88385E4E83\r\n1B208FED2FA6FAED6666\r\nRecruitment_Dossier\r\n_July_2025.rar LNK/Agent.AJN\r\nArchive exploiting\r\nCVE‑2025‑8088.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 9 of 13\n\nSHA-1 Filename Detection Description\r\nWin64/TrojanDownlo\r\nader.Agent.BZV\r\n01D32FE88ECDEA2B934A\r\n00805E138034BF85BF83\r\ninstall_module_x64.dll Win64/Agent.GNV MeltingClaw\r\nAE687BEF963CB30A3788\r\nE34CC18046F54C41FFBA\r\nmsedge.dll Win64/Agent.GMQ\r\nMythic agent used\r\nby RomCom\r\nAB79081D0E26EA278D3D\r\n45DA247335A545D0512E\r\nComplaint.exe\r\nWin64/TrojanDownlo\r\nader.Agent.BZV\r\nRustyClaw\r\n1AEA26A2E2A7711F89D0\r\n6165E676E11769E2FD68\r\nApbxHelper.exe Win64/Agent.GPM SnipBot variant\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n162.19.175[.]44\r\ngohazeldale\r\n[.]com\r\nOVH SAS 2025‑06‑05\r\nMeltingClaw C\u0026C\r\nserver.\r\n194.36.209[.]127 srlaptop[.]com\r\nCGI GLOBAL\r\nLIMITED\r\n2025‑07‑09\r\nC\u0026C server of the\r\nMythic agent used by\r\nRomCom.\r\n85.158.108[.]62 melamorri[.]com HZ‑HOSTING‑LTD 2025‑07‑07 RustyClaw C\u0026C server.\r\n185.173.235[.]134 campanole[.]com FiberXpress BV 2025‑07‑18\r\nC\u0026C server of the\r\nSnipBot variant.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583 Acquire Infrastructure\r\nRomCom sets up VPSes and buys\r\ndomain names.\r\nT1587.001 Develop Capabilities: Malware\r\nRomCom develops malware in\r\nmultiple programming languages.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 10 of 13\n\nTactic ID Name Description\r\nT1587.004 Develop Capabilities: Exploits\r\nRomCom may develop exploits used\r\nfor initial compromise.\r\nT1588.005 Obtain Capabilities: Exploits\r\nRomCom may acquire exploits used\r\nfor initial compromise.\r\nT1588.006\r\nObtain Capabilities:\r\nVulnerabilities\r\nRomCom may obtain information\r\nabout vulnerabilities that it uses for\r\ntargeting victims.\r\nT1608 Stage Capabilities\r\nRomCom stages malware on multiple\r\ndelivery servers.\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nRomCom compromises victims with a\r\nmalicious RAR attachment sent via\r\nspearphishing.\r\nExecution T1204.002 User Execution: Malicious File\r\nRomCom lures victims into opening a\r\nweaponized RAR archive containing\r\nan exploit.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nFor persistence, RomCom stores a\r\nLNK file in the Startup folder.\r\nT1546.015\r\nEvent Triggered Execution:\r\nComponent Object Model\r\nHijacking\r\nRomCom hijacks CLSIDs for\r\npersistence.\r\nDefense\r\nEvasion\r\nT1497 Virtualization/Sandbox Evasion\r\nRomCom detects virtual environments\r\nby checking for enough RecentDocs.\r\nT1480 Execution Guardrails\r\nRomCom stops execution if running\r\nin a virtual environment. It also\r\nchecks for a hardcoded domain name\r\nbefore executing.\r\nT1036.001\r\nMasquerading: Invalid Code\r\nSignature\r\nRomCom tries to appear more\r\nlegitimate to users and security tools\r\nthat improperly handle digital\r\nsignatures.\r\nT1027.007\r\nObfuscated Files or Information:\r\nDynamic API Resolution\r\nRomCom decrypts and resolves API\r\ndynamically.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nT1027.013\r\nObfuscated Files or Information:\r\nEncrypted/Encoded File\r\nRomCom decrypts shellcode based on\r\nfilename and machine artifacts.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nThe RomCom backdoor collects\r\npasswords, cookies, and sessions\r\nusing a browser stealer module.\r\nT1552.001\r\nUnsecured Credentials:\r\nCredentials In Files\r\nThe RomCom backdoor collects\r\npasswords using a file reconnaissance\r\nmodule.\r\nDiscovery\r\nT1087 Account Discovery\r\nThe RomCom backdoor collects\r\nusername, computer, and domain data.\r\nT1518 Software Discovery\r\nThe RomCom backdoor collects\r\ninformation about installed software\r\nand versions.\r\nLateral\r\nMovement\r\nT1021 Remote Services\r\nThe RomCom backdoor creates SSH\r\ntunnels to move laterally within\r\ncompromised networks.\r\nCollection\r\nT1560 Archive Collected Data\r\nThe RomCom backdoor stores data in\r\na ZIP archive for exfiltration.\r\nT1185 Man in the Browser\r\nThe RomCom backdoor steals\r\nbrowser cookies, history, and saved\r\npasswords.\r\nT1005 Data from Local System\r\nThe RomCom backdoor collects\r\nspecific file types based on file\r\nextensions.\r\nT1114.001\r\nEmail Collection: Local Email\r\nCollection\r\nThe RomCom backdoor collects files\r\nwith .msg, .eml, and .email\r\nextensions.\r\nT1113 Screen Capture\r\nThe RomCom backdoor takes\r\nscreenshots of the victim’s computer.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nThe RomCom backdoor uses HTTP or\r\nHTTPS as a C\u0026C protocol.\r\nT1573.002\r\nEncrypted Channel: Asymmetric\r\nCryptography\r\nThe RomCom backdoor encrypts\r\ncommunication using SSL certificates.\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nThe RomCom backdoor exfiltrates\r\ndata using the HTTPS C\u0026C channel.\r\nImpact T1657 Financial Theft\r\nRomCom compromises companies for\r\nfinancial interest.\r\nSource: https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nhttps://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/" ], "report_names": [ "update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434695, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a1ea30380521aeac4a7fee1a19be78e5e75875a.pdf", "text": "https://archive.orkl.eu/7a1ea30380521aeac4a7fee1a19be78e5e75875a.txt", "img": "https://archive.orkl.eu/7a1ea30380521aeac4a7fee1a19be78e5e75875a.jpg" } }