Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability www.welivesecurity.com/en/eset-r…

ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild. Previous examples include the abuse of CVE-2023-36884 via Microsoft Word in June 2023, and the combined vulnerabilities assigned CVE‑2024‑9680 chained with another previously unknown vulnerability in Windows, CVE‑2024‑49039, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, leading to arbitrary code execution in the context of the logged-in user in October 2024.

The vulnerability allows hiding malicious files in an archive, which are silently deployed when extracting. Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and Mythic agent.