Multiple threat actors, including state-sponsored groups and financially motivated cybercriminals, are actively exploiting a high-severity WinRAR vulnerability tracked as CVE-2025-8088, according to new findings from the Google Threat Intelligence Group.
The flaw is a path traversal vulnerability that abuses Windows Alternate Data Streams (ADS), allowing attackers to write malicious files to arbitrary system locations. This technique has been used to drop malware into the Windows Startup folder, enabling persistence across system reboots without the victim’s knowledge.
The issue was first discovered by researchers at ESET, who reported in August 2025 that the Russia-aligned hacking group RomCom had been exploiting the flaw in zero-day attacks. Google now says exploitation began as early as July 18, 2025, and remains active, involving both advanced espionage actors and lower-level cybercriminals.
According to Google researchers, attackers typically conceal malicious files within the ADS of decoy documents stored inside WinRAR archives. Victims often open a harmless-looking file, such as a PDF, while hidden payloads are silently extracted in the background using directory traversal. These payloads commonly include LNK, HTA, BAT, CMD, or script files that execute automatically when the user logs in.
Several state-sponsored threat groups have been observed abusing the vulnerability, including UNC4895, which delivered NESTPACKER malware to Ukrainian military targets, and APT44, which relied on malicious shortcut files and Ukrainian-language decoys. Other actors such as TEMP.Armageddon and Turla were also linked to ongoing exploitation, while China-linked attackers used the flaw to deploy the POISONIVY malware family.
Google also observed financially motivated attackers exploiting the same vulnerability to distribute commodity malware, including remote access tools like XWorm and AsyncRAT, Telegram bot-controlled backdoors, and malicious Chrome banking extensions.
Investigators believe many of these threat actors relied on exploit brokers rather than developing the attack themselves. One seller, known by the alias “zeroplayer,” reportedly advertised a working WinRAR exploit in mid-2025 and has marketed other high-value exploits for prices ranging between $80,000 and $300,000.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google says this activity reflects the growing commoditization of exploit development, a trend that lowers the barrier to entry for cyberattacks and allows both espionage groups and cybercriminals to rapidly target unpatched systems. Security experts strongly recommend updating WinRAR immediately and avoiding archive files from unknown or untrusted sources.
