romcom

RomCom’s WinRAR Exploit: Persistent Startup Folder Attacks and Encrypted C2 Exfiltration Targeting Critical Sectors

Russian-linked RomCom is abusing a critical WinRAR bug to quietly persist in networks, move laterally, and siphon data over encrypted channels — hitting government, finance, and telecom sectors hard. Patch lag is keeping doors wide open.

Wes

Wes

12 min read
RomCom’s WinRAR Exploit: Persistent Startup Folder Attacks and Encrypted C2 Exfiltration Targeting Critical Sectors
Guess what RomCom added to your Startup—no RSVP needed.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Tired of explaining what "our RomCom risk" is? ChatGPT not helping you with the peer review?

What are the specific persistence (e.g., MITRE ATT&CK T1547) and data exfiltration (e.g., T1041) techniques employed by RomCom malware variants exploiting WinRAR CVE-2025-8088, and how do these techniques evolve across different campaigns? write a report targeting strategic stakeholders

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 15 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work.. and the peer review.

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

AlphaHunt with your team- and your intelligence.

TL;DR

  • Exploit WinRAR CVE-2025-8088 to drop malware in Windows Startup folders (T1547.001), ensuring auto-execution at logon.
  • Deliver via spearphishing with malicious RAR attachments (T1566.001) exploiting the flaw for instant compromise.
  • Move laterally using Impacket tools (SMBExec, WMIExec) to harvest creds and spread.
  • Exfiltrate data over encrypted C2 channels (T1041) with evolving obfuscation to dodge detection.
  • Blend espionage & ransomware — dual-purpose ops targeting Western critical sectors.

Why it matters

  • SOC: Hunt for executable creation in Startup folders, Impacket tool execution, and anomalous encrypted outbound traffic.
  • IR: Preserve RAR attachments, WinRAR versions <7.13, registry run key changes, and C2 traffic captures.
  • SecOps: Enforce WinRAR patch to 7.13+, block RAR attachments, and restrict outbound encrypted traffic to known destinations.

Suggested Pivots

  • How will RomCom .. (upgrade to unlock!) .. becomes widespread?
  • What detection .. (upgrade to unlock!) .. from normal HTTPS?
  • How could you .. (upgrade to unlock!) .. against Impacket-based attacks?

Executive Summary

RomCom (Storm-0978/Tropical Scorpius/UNC2596) is exploiting CVE-2025-8088 in WinRAR to persist by planting malware in Windows Startup folders. Initial access comes via spearphishing with malicious RARs, followed by lateral movement using Impacket frameworks. Data is exfiltrated through encrypted C2 channels with sophisticated encoding to evade detection.

Targets include government, military, finance, and telecom sectors in Europe and North America — especially those linked to Ukrainian affairs. This mix of espionage and financially driven ransomware makes RomCom a flexible and enduring threat.

See it in your telemetry

Mail: RAR attachments; subjects tied to urgent or official business; uncommon senders.

Endpoint: Creation of .exe in C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup; Impacket SMBExec/WMIExec process trees.

Network: Encrypted outbound sessions to rare domains/IPs; long-lived HTTPS sessions with low data bursts.

Quick wins (ship today)

  • Patch all WinRAR installs to v7.13+ or apply registry mitigation.
  • Block/quarantine inbound RAR attachments at the mail gateway.
  • Enable/tune EDR rules for Startup folder changes and Impacket execution.
CTA Image

Ready to level up your intelligence game?

Sign Up!

Research & Analysis

Background

"RomCom" (also known as Storm-0978, Tropical Scorpius, UNC2596) is a Russia-linked cyberespionage group known for ransomware, data theft, and espionage campaigns. It targets government, military, telecommunications, and finance sectors primarily in Europe and North America. The group has leveraged zero-day vulnerabilities, including WinRAR CVE-2025-8088, to deliver its backdoor malware.

WinRAR CVE-2025-8088 is a critical directory traversal vulnerability in the Windows version of WinRAR, fixed in version 7.13. It allows attackers to craft malicious RAR archives that place executables in Windows Startup folders, enabling arbitrary code execution at system login.

Persistence Techniques (MITRE ATT&CK T1547 and Sub-techniques)

  • Technique Used: RomCom exploits the WinRAR CVE-2025-8088 vulnerability to achieve persistence by placing malicious executables into Windows Startup folders. This corresponds to MITRE ATT&CK technique T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.

  • Mechanism: By exploiting the path traversal flaw, attackers craft RAR archives that, when extracted, place RomCom executables in startup locations. This causes the malware to execute automatically upon user login, maintaining persistence without requiring additional user interaction.

  • Evolution: This persistence method has been consistently observed in RomCom campaigns from 2024 through 2025, with the group refining spearphishing lures and delivery mechanisms to exploit this vulnerability effectively.

Data Exfiltration Methods (MITRE ATT&CK T1041)

  • Technique Used: RomCom employs T1041 - Exfiltration Over C2 Channel, where stolen data is encoded and sent over existing command and control channels.

  • Operational Tradecraft: After establishing persistence, RomCom backdoors communicate with C2 servers to exfiltrate sensitive data. The malware uses encrypted channels to evade detection and maintain stealth.

  • Evolution: RomCom's exfiltration techniques have evolved to include more sophisticated encoding and obfuscation methods, adapting to improved network defenses observed in 2024–2025 campaigns.

Campaign Evolution and Threat Actor Overlaps

  • RomCom has been linked to multiple aliases (Storm-0978, Tropical Scorpius, UNC2596) and is suspected to collaborate or overlap with other Russian cyberespionage groups.

  • Campaigns have targeted government and military organizations involved in Ukrainian affairs, as well as commercial sectors like telecommunications and finance.

  • The group has also been associated with ransomware operations (Industrial Spy, Underground ransomware), indicating a blend of espionage and financially motivated activities.

  • Microsoft reports that RomCom uses trojanized versions of legitimate software (e.g., Adobe products, Solarwinds) hosted on malicious domains mimicking legitimate ones to deliver malware.

Operational Tradecraft and Targeting Patterns

  • Initial Access: Spearphishing emails with malicious RAR attachments exploiting CVE-2025-8088.

  • Persistence: Exploitation of WinRAR vulnerability to place executables in startup folders (T1547.001).

  • Lateral Movement: Use of Impacket frameworks (SMBExec, WMIExec) for credential dumping and lateral movement.

  • Exfiltration: Data exfiltration over encrypted C2 channels (T1041).

  • Targeting: Primarily government, military, telecommunications, and finance sectors in Europe and North America, with a focus on entities involved in Ukrainian affairs.

  • Campaign Shifts: From purely espionage-focused to opportunistic ransomware and extortion attacks, indicating operational flexibility.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)

Read more