On Tuesday, Google revealed that multiple threat actors — including nation-state adversaries and financially motivated groups — are actively exploiting a now-patched critical security flaw in RARLAB WinRAR to gain initial access and deploy a wide range of payloads.
“Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” the Google Threat Intelligence Group (GTIG) said.
Moreover, Google emphasized that attackers rely on a consistent technique to maintain persistence.
“The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.”
The vulnerability, tracked as CVE-2025-8088 (CVSS score: 8.8), affects WinRAR and received a fix in version 7.13, which RARLAB released on July 30, 2025. When successfully exploited, the flaw allows attackers to achieve arbitrary code execution by convincing users to open specially crafted malicious archive files in a vulnerable version of the software.
Early Zero-Day Abuse Observed by ESET
Notably, ESET — which discovered and responsibly disclosed the flaw — observed early exploitation activity well before the patch became available. According to the company, the dual financial- and espionage-motivated threat group RomCom (aka CIGAR or UNC4895) exploited the vulnerability as a zero-day as early as July 18, 2025. The group used the flaw to deliver a variant of the SnipBot (aka NESTPACKER) malware.
It is also worth noting that Google tracks the threat cluster responsible for deploying Cuba Ransomware under the designation UNC2596.
Since then, attackers have widely abused the vulnerability across multiple campaigns. In most cases, attack chains conceal a malicious file — such as a Windows shortcut (LNK) — within the alternate data streams (ADS) of a decoy file embedded in the archive. As a result, WinRAR extracts the payload to a targeted location, such as the Windows Startup folder, and automatically executes it when the user logs in after a system restart.
Russian Threat Actors Join the Campaigns
Meanwhile, several Russian-linked threat actors have joined the exploitation efforts, including:
- Sandworm (aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename alongside a malicious LNK file designed to trigger additional downloads
- Gamaredon (aka CARPATHIAN), which has used malicious RAR archives containing HTML Application (HTA) files to target Ukrainian government agencies and download second-stage payloads
- Turla (aka SUMMIT), which has exploited the flaw to deploy the STOCKSTAY malware suite using lures related to Ukrainian military operations and drone activity
In addition, GTIG identified a China-based threat actor weaponizing CVE-2025-8088 to deliver Poison Ivy. In this case, the attacker used a batch script dropped into the Windows Startup folder and configured it to download a dropper.
“Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets,” GTIG added.
Some of these campaigns have resulted in the deployment of Telegram bot-controlled backdoors, as well as widely used malware families such as AsyncRAT and XWorm.
In a separate case highlighted by Google’s threat intelligence team, a Cybercrime group known for targeting Brazilian users via Banking-related lures delivered a Malicious Chrome extension. The extension injected JavaScript into the pages of two Brazilian banking websites, Enabling Phishing activity and Credential theft.
Underground Market Fuels Exploitation
Overall, analysts assess that the widespread abuse of the WinRAR flaw stems from a Thriving underground market. In this ecosystem, sellers have Advertised WinRAR exploits for thousands of dollars. One such Supplier, operating under the alias “zeroplayer,” Promoted a WinRAR exploit in the weeks leading up to the public disclosure of CVE-2025-8088.
“Zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle,” GTIG said. “By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations […] to leverage a diverse set of capabilities.”
Finally, these developments Coincide with Exploitation attempts Involving another WinRAR flaw, CVE-2025-6218 (CVSS score: 7.8). Multiple threat actors — including GOFFEE, Bitter, and Gamaredon — have targeted this Vulnerability, further Underscoring the Persistent risk posed by N-day Vulnerabilities.
Source: TheHackerNews
Read more at Impreza News
