Just two years after the widespread abuse of a previous WinRAR flaw, the popular file archiving utility has once again become a critical initial access vector for a range of threat actors. This time, the focus is on CVE-2025-8088, a high-severity path traversal vulnerability disclosed in July 2025  that leverages an obscure Windows feature to achieve arbitrary file writes and system persistence.

Exploitation of this vulnerability in the wild began before disclosure, with attacks confirmed as early as July 18, 2025. RARLAB responded quickly, addressing the flaw with the release of WinRAR version 7.13 on July 30, 2025. However, this narrow window was enough for the exploit to be weaponized and widely adopted, and Google Threat Intelligence Group researchers say that both cybercrime groups and Russian and Chinese APT teams are continuing to exploit this flaw against unpatched targets.

Among the groups exploiting this vulnerability are APT groups from both China and Russia, including the infamous Turla team, as well as financially motivated cybercrime groups. 

“Suspected Russia-nexus threat groups are consistently exploiting CVE-2025-8088 in campaigns targeting Ukrainian military and government entities, using highly tailored geopolitical lures,” the Google Threat Intelligence Group wrote in an analysis of the attack activity. 

The core of CVE-2025-8088 lies in a path traversal flaw combined with the manipulation of Alternate Data Streams (ADS), a feature of the NTFS file system.

Here’s how the exploit chain works:

  1. Malicious Archive Crafting: Adversaries create specially crafted RAR archives.
  2. The Decoy: Inside the archive, a decoy file (such as a benign PDF document) is visible to the user.
  3. The Hidden Payload: The archive also contains malicious ADS entries. The attacker conceals the actual payload, typically an executable, within the ADS of the decoy file. Other ADS entries might be present as dummy data.
  4. Path Traversal: When a vulnerable version of WinRAR extracts the archive, the malicious ADS entry is written to the system. The path specified for this write operation is deliberately engineered using directory traversal characters (../, etc.) in combination with the ADS feature.
  5. Persistence: This crafted path allows the attacker to bypass the intended extraction directory and write the hidden payload to an arbitrary, critical location on the system. The primary target for persistence is frequently the Windows Startup folder, ensuring the payload executes upon the next user login.

This intricate exploit chain allows the attacker to plant a malicious file onto the victim's system simply by having them open a seemingly harmless archive.

Global Impact and Threat Actor Adoption

The CVE-2025-8088 exploit was immediately and widely adopted by sophisticated groups globally.

  • Targeting: Multiple government-backed actors have been observed leveraging this flaw, predominantly focusing their efforts on the military, government, and technology sectors.
  • Commoditization: The exploit's proven reliability as an initial access vector led to its rapid commoditization. It quickly entered the broader cyber criminal and espionage marketplace, blurring the line between highly sophisticated state-sponsored operations and financially motivated campaigns.

This intricate exploit chain allows the attacker to plant a malicious file onto the victim's system simply by having them open a seemingly harmless archive.

Ongoing cyber crime targeting, particularly in late 2025 and early 2026, continues to exploit CVE-2025-8088 to distribute various payloads, including commodity RATs and infostealers.

Key activities include:

  • Targeting in Indonesia: A threat group utilized lure documents to exploit the vulnerability, dropping a command script into the Startup folder. This script retrieves a password-protected archive containing a backdoor that uses a Telegram bot for command and control.
  • Targeting in LATAM: A group known for targeting the hospitality and travel sectors is employing phishing emails themed around hotel bookings to deliver commodity RATs like XWorm and AsyncRAT.
  • Targeting Brazilian Users: A separate group is targeting Brazilian banking customers by delivering a malicious Chrome extension that injects JavaScript into legitimate banking websites to display phishing content and steal user credentials.

This rapid adoption calls back to the widespread exploitation of CVE-2023-38831, another critical WinRAR bug, reinforcing the notion that reliable exploits for patched, yet unapplied, vulnerabilities remain highly effective tools in an attacker's arsenal. GTIG researchers said that one of the key links in the underground distribution chain for this exploit is an actor known as "zeroplayer".

"A notable example of such an upstream supplier is the actor known as "zeroplayer," who advertised a WinRAR exploit in July 2025. The WinRAR vulnerability is not the only exploit in zeroplayer’s arsenal. Historically, and in recent months, zeroplayer has continued to offer other high-priced exploits that could potentially allow threat actors to bypass security measures," the researchers said.

The most critical defense is to immediately update WinRAR to version 7.13 or later. The window of opportunity for attackers is measured in days, not months. Delaying the application of a patch for a critical flaw like this is the primary reason for widespread exploitation.

While patching stops the initial infection vector, a successful defense strategy must shift toward detecting the consistent and predictable post-exploitation activities. Once on the system, the attackers' Tactics, Techniques, and Procedures (TTPs)—such as establishing persistence, escalating privileges, and communicating with command-and-control servers—are often reusable and detectable.

The rapid weaponization and commoditization of CVE-2025-8088 underscore the enduring danger of n-day vulnerabilities. Security posture must prioritize immediate risk mitigation (patching) alongside a robust strategy for detecting and disrupting post-compromise activity. 

  • Recent Posts

  • Recent Comments

    No comments to show.