Multiple threat actors, including nation-state adversaries from Russia and China, as well as financially motivated cybercriminals, are actively exploiting a critical WinRAR vulnerability (CVE-2025-8088) that was patched in July 2025. This widespread exploitation, detailed by Google Threat Intelligence, highlights ongoing risks associated with unpatched software and underscores a persistent gap in fundamental application security and user awareness. The path traversal flaw allows attackers to gain initial access and establish persistence on victim systems by placing malicious files in the Windows Startup folder.
The vulnerability, officially designated CVE-2025-8088, carries a CVSS score of 8.8 and was addressed by WinRAR version 7.13. Successful exploitation enables arbitrary code execution through specially crafted archive files. ESET initially discovered and reported the flaw, observing its zero-day exploitation by the financially and espionage-motivated group RomCom as early as July 18, 2025, for the distribution of SnipBot malware. Google associates the threat cluster behind the deployment of Cuba Ransomware with the moniker UNC2596.
Widespread Exploitation of WinRAR Vulnerability
Since its discovery and subsequent patching, CVE-2025-8088 has seen extensive exploitation across various threat operations. Attack chains commonly involve concealing malicious payloads, such as Windows shortcut (LNK) files, within the alternate data streams (ADS) of decoy files embedded in archives. Upon extraction to designated paths like the Windows Startup folder, these payloads are automatically executed when a user logs in after a system restart, thereby achieving persistent access.
Nation-State Involvement in Exploitation
Several Russian state-sponsored threat actors have been observed leveraging this WinRAR vulnerability. The Sandworm group, also known as APT44 and FROZENBARENTS, has used the flaw to deploy decoy files with Ukrainian filenames alongside malicious LNK files designed to facilitate further downloads. Similarly, the Gamaredon group (CARPATHIAN) has targeted Ukrainian government agencies with RAR archives containing HTML Application (HTA) files, serving as downloaders for secondary-stage malware.
The Turla group, or SUMMIT, has also employed the vulnerability to deliver the STOCKSTAY malware suite, utilizing lures related to Ukrainian military activities and drone operations. These tactics highlight a consistent focus on geopolitical targets within the scope of these state-backed adversaries.
China-Based Actors and Financially Motivated Groups
Google’s threat intelligence indicates that a China-based actor has weaponized CVE-2025-8088 to deploy the Poison Ivy remote access trojan (RAT). This is achieved by dropping a batch script into the Windows Startup folder, configured to download a dropper. Financially motivated threat actors have also rapidly adopted the vulnerability, deploying commodity RATs and information stealers against commercial entities.
These attacks have resulted in the deployment of backdoors controlled via Telegram bots and malware families such as AsyncRAT and XWorm. In a notable instance, a cybercrime group targeting Brazilian users through banking websites delivered a malicious Chrome extension. This extension injects JavaScript into specific Brazilian banking sites to serve phishing content and steal user credentials.
The Role of Exploit Markets
The broad exploitation of the WinRAR vulnerability is attributed, in part, to a robust underground economy where exploits for WinRAR have been advertised for significant sums. For example, an actor known as “zeroplayer” marketed a WinRAR exploit in the weeks preceding the public disclosure of CVE-2025-8088. Such activity by upstream exploit suppliers significantly lowers the technical barrier for entry, enabling diverse threat actors to leverage sophisticated attack capabilities.
The continued exploitation of “n-day” vulnerabilities, like this WinRAR flaw, serves as a stark reminder of the ongoing threat landscape. Another WinRAR vulnerability, CVE-2025-6218, has also been exploited by groups including GOFFEE, Bitter, and Gamaredon, further emphasizing the persistent risks posed by software that is not promptly updated.
Moving forward, organizations must prioritize patching the WinRAR vulnerability and similar n-day threats. The continued commoditization of exploits suggests that vigilance against these persistent attack vectors will remain crucial for comprehensive cybersecurity defense in the coming months. Monitoring threat intelligence for new exploitation trends and focusing on fundamental security hygiene will be key to mitigating these risks.