Overview of Active Exploitation of WinRAR Vulnerability (CVE-2025-8088)

Google Threat Intelligence Group (GTIG) has disclosed the active and ongoing exploitation of a critical WinRAR security vulnerability, even after it was officially patched. The flaw has been leveraged by nation-state actors and financially motivated cybercriminals to gain initial access, establish persistence, and deploy a wide range of malicious payloads.

Vulnerability Details

The vulnerability, tracked as CVE-2025-8088 with a CVSS score of 8.8, is a path traversal flaw in WinRAR that allows attackers to achieve arbitrary code execution. By crafting malicious RAR archive files, threat actors can extract files into sensitive system locations—most notably the Windows Startup folder—enabling automatic execution upon system reboot.

RARLAB addressed the issue in WinRAR version 7.13, released on July 30, 2025. However, exploitation has continued as an N-day vulnerability, highlighting gaps in patch adoption and user awareness.

Early Exploitation and Threat Actor Activity

Security firm ESET, which initially discovered and reported the flaw, observed exploitation as early as July 18, 2025, when the dual-purpose espionage and financially motivated threat group RomCom (also known as CIGAR or UNC4895) used it as a zero-day to distribute SnipBot (NESTPACKER) malware.

Google also linked related activity to UNC2596, a threat cluster associated with Cuba Ransomware operations.

Common Attack Techniques

Most observed attack chains involve:

• Embedding malicious payloads (such as Windows shortcut (LNK) files) within Alternate Data Streams (ADS) of decoy files inside RAR archives.
• Exploiting the vulnerability to extract these payloads directly into the Windows Startup folder.
• Achieving persistence and execution when the user logs in after a system restart.

This consistent exploitation method demonstrates a recurring weakness in application-level security controls and end-user handling of compressed files.

Nation-State Threat Actor Involvement

Several advanced persistent threat (APT) groups—primarily linked to Russia and China—have adopted the vulnerability, including:

• Sandworm (APT44 / FROZENBARENTS): Used Ukrainian-themed decoys and malicious LNK files to facilitate additional payload downloads.
• Gamaredon (CARPATHIAN): Targeted Ukrainian government entities using RAR archives containing HTA downloader files.
• Turla (SUMMIT): Delivered the STOCKSTAY malware suite, using lures related to Ukrainian military and drone operations.
• China-linked actors: Weaponized the flaw to deploy Poison Ivy, using batch scripts placed in the Startup folder to download additional droppers.

Financially Motivated Campaigns

Cybercriminal groups rapidly incorporated CVE-2025-8088 into their operations, deploying:

• Commodity Remote Access Trojans (RATs) such as AsyncRAT and XWorm
• Information stealers
• Telegram bot–controlled backdoors

GTIG also identified a Brazil-focused cybercrime operation that used the vulnerability to distribute a malicious Chrome extension capable of injecting JavaScript into banking websites to conduct phishing and credential theft.

Underground Exploit Economy

The widespread abuse of the flaw is attributed in part to a thriving exploit marketplace. WinRAR exploits were reportedly sold for thousands of dollars, with a supplier known as “zeroplayer” advertising a WinRAR exploit shortly before the public disclosure of CVE-2025-8088.

According to GTIG, this trend reflects the growing commoditization of the attack lifecycle, where ready-made exploits lower the technical barrier for threat actors with varying skill levels and motivations.

Broader Security Implications

The situation is further compounded by exploitation attempts targeting another WinRAR vulnerability, CVE-2025-6218 (CVSS 7.8), by groups such as GOFFEE, Bitter, and Gamaredon. Together, these incidents underscore the persistent risk posed by N-day vulnerabilities, particularly in widely used software.