A number of state-sponsored risk actors and cybercrime teams have been exploiting a WinRAR vulnerability in assaults over the previous six months, Google Risk Intelligence Group (GTIG) warns.
Tracked as CVE-2025-8088, the high-severity bug was patched on July 30, after being exploited within the wild as a zero-day by the Russia-linked hacking group named RomCom (also referred to as Storm-0978, Tropical Scorpius, and UNC2596).
The difficulty is described as a path traversal flaw in WinRAR for Home windows that may be abused for arbitrary code execution utilizing crafted archive recordsdata.
Based on GTIG, APTs and cybercrime teams have exploited the safety defect by way of malicious recordsdata hidden throughout the Alternate Knowledge Streams (ADS) of a decoy file inside an archive.
“Adversaries can craft malicious RAR archives which, when opened by a susceptible model of WinRAR, can write recordsdata to arbitrary places on the system,” GTIG explains.
The malicious payloads include a specifically crafted path designed to traverse to a particular listing, usually the startup folder, for persistence. Thus, when the archive is opened, the content material is written to the system and shall be executed when the person logs in.Commercial. Scroll to proceed studying.
“Authorities-backed risk actors linked to Russia and China in addition to financially motivated risk actors proceed to use this n-day throughout disparate operations,” GTIG says.
The state-sponsored APTs had been seen exploiting the CVE in assaults concentrating on authorities, navy, and know-how entities.
GTIG tied the noticed assaults to the Russia-linked APTs RomCom, Sandworm (aka APT44, BlackEnergy Lite, and Seashell Blizzard), Armageddon (aka Aqua Blizzard, Callisto, Gamaredon, Primitive Bear, and UNC530), and Turla (aka Krypton, Snake, Venomous Bear, and Waterbug).
The assaults, GTIG says, focused varied entities in Ukraine, together with navy items. The newest assaults had been noticed in January 2026.
Moreover, GTIG noticed a Chinese language state-sponsored APT exploiting the WinRAR vulnerability to deploy the PoisonIvy malware.
Exploitation by cybercrime teams
The abuse of CVE-2025-8088 by financially motivated cybercriminals has been numerous and unfold globally, GTIG says.
The bug has been exploited by miscreants to focus on entities in Indonesia, hospitality and journey organizations worldwide (with a concentrate on Latin America), on-line banking customers in Brazil, and for the distribution of varied malware households, together with commodity RATs.
“The widespread use of CVE-2025-8088 by numerous actors highlights the demand for efficient exploits. This demand is met by the underground economic system the place people and teams concentrate on creating and promoting exploits to a variety of consumers,” GTIG notes.
One of many risk actors promoting a WinRAR exploit since July 2025, who makes use of the moniker ‘zeroplayer’, was additionally seen providing Workplace, VPN, and Home windows zero-days.
“By offering ready-to-use capabilities, actors resembling zeroplayer cut back the technical complexity and useful resource calls for for risk actors, permitting teams with numerous motivations—from ransomware deployment to state-sponsored intelligence gathering—to leverage a various set of capabilities,” GTIG notes.
Associated: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
Associated: Organizations Warned of Exploited Linux Vulnerabilities
Associated: ‘Stanley’ Malware Toolkit Permits Phishing by way of Web site Spoofing
Associated: Over 100 Organizations Focused in ShinyHunters Phishing Marketing campaign
