Google has warned that multiple threat actors are actively exploiting a critical security vulnerability in WinRAR, despite the issue being patched months ago. The attacks involve a mix of nation state groups and financially motivated cybercriminals using the flaw to gain initial system access and deploy malware.
According to the Google Threat Intelligence Group (GTIG), the vulnerability was discovered and fixed in July 2025, yet exploitation continues across unrelated campaigns. The company stated that government linked attackers associated with Russia and China, along with profit driven groups, are abusing the same technique to maintain persistence.
The flaw, tracked as CVE-2025-8088 with a CVSS score of 8.8, is a path traversal vulnerability in RARLAB WinRAR. It was resolved in WinRAR version 7.13, released on July 30, 2025. Successful exploitation allows attackers to execute arbitrary code by convincing victims to open specially crafted archive files.
The weakness enables malicious files to be written directly into the Windows Startup folder, ensuring that the payload automatically executes when the system restarts. GTIG noted that this repeated exploitation highlights gaps in basic application security and user awareness.
ESET, which originally reported the issue, observed the dual purpose threat group RomCom (also known as CIGAR or UNC4895) exploiting the vulnerability as a zero day as early as July 18, 2025. The group used it to distribute a variant of SnipBot, also called NESTPACKER. Google separately tracks the operators behind Cuba Ransomware under the identifier UNC2596.
Following public disclosure, exploitation expanded rapidly. Many attack chains hide malicious components such as Windows shortcut (LNK) files inside alternate data streams (ADS) of decoy files within RAR archives. When extracted, these files are written to the Startup directory and executed automatically after a reboot.
Several Russia linked threat actors have adopted the technique, including:
- Sandworm (APT44 or FROZENBARENTS), which deployed decoy documents with Ukrainian themed filenames alongside malicious LNK files that initiate further downloads
- Gamaredon (CARPATHIAN), which targeted Ukrainian government agencies using RAR archives containing HTA files that act as second stage downloaders
- Turla (SUMMIT), which leveraged the flaw to deploy the STOCKSTAY malware family using lures related to Ukrainian military and drone operations
GTIG also identified a China based actor exploiting CVE-2025-8088 to deploy Poison Ivy, using batch scripts dropped into the Windows Startup folder to download additional payloads.
Financially motivated attackers were quick to follow, using the vulnerability to install commodity remote access trojans and information stealing malware. In several cases, victims were infected with Telegram bot controlled backdoors, as well as malware families such as AsyncRAT and XWorm.
In a separate campaign, Google reported that a cybercrime group targeting Brazilian users distributed a malicious Chrome extension capable of injecting JavaScript into the websites of two Brazilian banks. The extension was used to display phishing content and harvest login credentials.
GTIG assessed that widespread abuse of the WinRAR flaw was fueled by a thriving underground market. Exploits for WinRAR were openly sold for thousands of dollars prior to public disclosure. One seller, operating under the alias zeroplayer, advertised a working WinRAR exploit weeks before CVE-2025-8088 became public.
Google noted that zeroplayer’s role as an upstream exploit supplier demonstrates the growing commoditization of cyberattacks. By offering ready made exploitation tools, such actors lower technical barriers and enable a wide range of threat groups to conduct sophisticated attacks.
The warning follows reports of another WinRAR vulnerability, CVE-2025-6218 with a CVSS score of 7.8, also being exploited by multiple actors including GOFFEE, Bitter, and Gamaredon, reinforcing the ongoing risk posed by unpatched N-day vulnerabilities.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
