A growing number of diverse attackers, including nation-state actors and financially motivated cybercriminals, are actively exploiting a path-traversal vulnerability in WinRAR, even though it was patched six months ago. Google’s Threat Intelligence Group (GTIG) issued a warning highlighting the continued exploitation of this high-severity security flaw, identified as CVE-2025-8088, which was publicly disclosed and patched by RARLAB in late July.
The vulnerability, which enables attackers to bypass security restrictions and access unauthorized files, was exploited in the wild nearly two weeks before the vendor released a fix. Since then, the exploitation of this WinRAR vulnerability has expanded to include a broader spectrum of threat actors, underscoring its persistent danger to organizations worldwide. Google threat hunters have linked the ongoing campaigns to at least three financially motivated groups, four Russian state-sponsored entities, and one attacker operating from China.
Ongoing Exploitation of WinRAR Vulnerability
Google stated in a recent threat intelligence report that government-backed threat actors associated with Russia and China, along with financially motivated adversaries, continue to leverage this known “n-day” vulnerability across various malicious operations. While the exact number of attacks attributed to CVE-2025-8088 has not been detailed, researchers described the activity as widespread. The persistent use of this flaw suggests that many systems remain unpatched, leaving them susceptible to compromise.
Nation-State Espionage and Cybercrime Operations
Nation-state actors are reportedly exploiting the WinRAR vulnerability for espionage purposes, targeting organizations within the military, government, and technology sectors. Specifically, Russian-backed groups are identified as targeting Ukrainian military and government entities. Meanwhile, the targets of the China-based attacker remain less clear, according to the report.
Meanwhile, cybercriminals are also rapidly adopting the vulnerability to deploy malware. Google has traced campaigns back to groups that have previously targeted victims in Indonesia, Latin America, and Brazil. During December and January, these cybercrime groups utilized the vulnerability to deliver malicious software, including remote access trojans and infostealers, designed to harvest sensitive information.
Google’s timeline of observed exploitation reveals a broad range of attackers involved through October. However, the majority of malicious activity recorded since late 2025 has been attributed to cybercriminal elements, indicating a shift in the primary threat actor type. This trend suggests a broadening of the threat landscape and an increasing risk for less security-conscious individuals and organizations.
Common Exploitation Method and Low Barrier to Entry
A notable aspect of the ongoing threat is that attackers from various backgrounds are employing a common method to exploit the vulnerability. This shared technique has been rapidly adopted by different threat groups, simplifying their attack processes.
According to GTIG, both government-backed groups and financially motivated actors are using the same exploitation technique for successful execution on target devices. The mechanism involves crafting a malicious RAR archive that presents a benign decoy file to the victim. In the background, this file silently drops a malicious payload into a critical system location, such as the Windows Startup folder, making detection difficult.
The malware deployed through this method often requires no user interaction. Furthermore, the absence of obvious indicators of compromise makes the malicious activity exceptionally difficult for standard security solutions to detect, researchers said. This stealthy approach contributes to the continued success of these attacks.
This widespread exploitation of a WinRAR flaw is reminiscent of previous vulnerabilities found in the software. Google’s Threat Analysis Group previously warned about a similar widespread exploitation of a defect in WinRAR, CVE-2023-38831, in October 2023. The ease with which attackers can exploit these vulnerabilities is a significant concern.
Researchers noted that the barrier to entry for threat actors seeking to abuse WinRAR vulnerabilities is low, emphasizing the availability of public, ready-to-use tools that allow for the quick creation and testing of malicious archives. To mitigate these risks, Google urges organizations to install all available security updates for WinRAR and has published indicators of compromise to assist defenders in identifying and responding to malicious activity on their systems.
Moving forward, continued vigilance is expected from security researchers and organizations. The ongoing exploitation of this WinRAR vulnerability means that systems that have not yet been updated remain at risk. Defenders should monitor for the indicators of compromise provided by Google and ensure their WinRAR installations are up-to-date to prevent further compromise.