A critical vulnerability in WinRAR is being actively exploited by hackers, prompting Google to issue a warning to Windows users who have yet to update their software.
Quick Summary – TLDR:
- CVE-2025-8088, a critical WinRAR flaw, is being exploited by both nation-state and financially motivated attackers.
- The bug enables attackers to gain persistent access to Windows systems via malicious RAR files.
- Despite a patch released in July 2025, many systems remain vulnerable due to slow update adoption.
- Google’s Threat Intelligence Group (GTIG) and ESET researchers are tracking the widespread abuse.
What Happened?
Google’s Threat Intelligence Group has confirmed that the critical path traversal flaw in WinRAR, identified as CVE-2025-8088, is being used in real-world attacks. The vulnerability, discovered by researchers at ESET and patched in July 2025, allows malicious RAR archives to write files to arbitrary locations on a user’s system. Threat actors are using this technique to place malicious files into Windows Startup folders, ensuring the malware runs every time the system starts.
We are tracking widespread exploitation of critical WinRAR vulnerability CVE-2025-8088 by state-sponsored espionage groups and financially motivated actors. 🔍
— Mandiant (part of Google Cloud) (@Mandiant) January 27, 2026
All orgs and users should update to the latest version of WinRAR.
Learn more and get IOCs:https://t.co/mrB4q9svwl pic.twitter.com/LhSAAdnoHU
CVE-2025-8088: A Powerful Exploit Hiding in Plain Sight
The flaw works by abusing Windows Alternate Data Streams (ADS) and directory traversal. Attackers craft RAR files containing hidden malicious payloads disguised under normal-looking documents. When opened using a vulnerable WinRAR version, the archive silently writes a .lnk, .cmd, or .bat file into a critical system directory such as:
../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/
Once the archive is opened, the payload is extracted and executed automatically on the next reboot, giving attackers persistent access without further user interaction.
RARLAB issued a fix in WinRAR version 7.13 on July 30, 2025, but attackers continue targeting outdated systems.
Cyber Espionage Campaigns
Google has observed multiple state-sponsored hacking groups exploiting the flaw:
- Russia-nexus group UNC4895 (RomCom) targeted Ukrainian military with spearphishing emails and deployed NESTPACKER malware.
- APT44 (FROZENBARENTS) used decoy Ukrainian documents to drop malicious LNK files.
- TEMP.Armageddon (CARPATHIAN) delivered HTA files that act as downloaders for further payloads.
- Turla (SUMMIT) deployed its STOCKSTAY malware using lures themed around Ukraine’s drone operations.
- A China-based actor used the exploit to drop POISONIVY malware via a BAT file into the Startup folder.
Financially Motivated Threats
Cybercriminals are also leveraging the same flaw for monetary gain:
- A group in Indonesia used the bug to drop a .cmd script that later downloads a password-protected RAR archive from Dropbox, containing a backdoor linked to a Telegram bot.
- Actors in Latin America targeted the travel industry with phishing emails related to hotel bookings to deliver XWorm and AsyncRAT.
- In Brazil, attackers pushed a malicious Chrome extension designed to steal banking credentials through phishing overlays on banking websites.
The Underground Economy: zeroplayer’s Role
One of the key exploit providers behind this wave is a dark web actor named zeroplayer. Known for selling high-end zero-day vulnerabilities, zeroplayer advertised a WinRAR exploit in July 2025, contributing to the vulnerability’s mass adoption.
Other exploits offered by zeroplayer include:
- Microsoft Office RCE sandbox escape listed at 300,000 dollars.
- Zero-day in a corporate VPN solution.
- Local Privilege Escalation for Windows sold for 100,000 dollars.
- AV/EDR bypass exploit for 80,000 dollars.
These offerings show how exploit developers enable a wider range of attackers, lowering the technical barrier for both state actors and cybercriminals.
What Users and Organizations Should Do?
Google is urging all users and enterprises to:
- Update to WinRAR version 7.13 or later.
- Patch systems without delay.
- Monitor Startup folders for suspicious file drops.
- Use Google Safe Browsing and Gmail protections, which can detect malicious archives.
- Leverage VirusTotal collections and GTIG IOCs for detection and response.
SQ Magazine Takeaway
I think this situation is another reminder that old vulnerabilities can cause serious problems when left unpatched. Even though a fix has been out since July 2025, hackers are still breaking into systems today using CVE-2025-8088. It’s shocking how many organizations don’t update software as soon as patches drop. This WinRAR bug might seem like a small issue, but clearly it’s being used by everyone from government hackers to criminals in Latin America. If you’re still running an old version of WinRAR, it’s time to hit that update button right now.
