A patched WinRAR vulnerability is being widely exploited by nation-state actors and cybercriminals to deploy RATs and stealers, highlighting the ongoing risks of outdated software.
Critical Vulnerability Exploited by Multiple Threat Actors
A critical security flaw in WinRAR, tracked as CVE-2025-8088, has become a favorite tool for both nation-state actors and financially motivated cybercriminals. The vulnerability, which received an 8.8 CVSS v3.1 score, is a path traversal flaw affecting Windows versions of the popular decompression tool. WinRAR patched the issue in version 7.13, released on July 30, 2025.
How the Exploit Works
The attack leverages Alternate Data Streams (ADS), a Windows feature that allows additional data to be attached to files. Attackers craft malicious RAR archives containing decoy PDF files or other legitimate-looking documents. When victims open these decoy files using vulnerable WinRAR versions, hidden malware writes files to arbitrary locations on the system, bypassing normal security controls.
Nation-State Actors Join the Fray
According to Google Threat Intelligence Group (GTIG), multiple government-backed actors have adopted this exploit, focusing primarily on military, government, and technology targets:
- RomCom: This dual-purpose ransomware and espionage group targets Ukrainian military and government entities using geopolitical lures
- APT44 (Frozenbarents): Kremlin-linked group targeting similar sectors in Ukraine
- Temp.Armageddon (Carpathian): Another Russian-aligned crew exploiting the vulnerability
- Turla (Summit): Well-known Russian espionage group also leveraging the flaw
Additionally, an unnamed Chinese-based group is using the vulnerability to deliver PoisonIvy RAT through BAT files placed in the Startup folder, which then download additional malware droppers.
Cybercriminal Ecosystem Thrives
Beyond state-sponsored attacks, several financially motivated criminal groups have incorporated CVE-2025-8088 into their toolkits:
- Groups targeting commercial organizations in Indonesia
- Criminal gangs focusing on hospitality and travel sectors via phishing emails with hotel booking lures, delivering XWorm and AsyncRAT
- Operations specifically targeting Brazilian users through banking websites to steal credentials
"As of January, we have continued to observe malware being distributed by cyber crime exploiting CVE-2025-8088, including commodity RATS and stealers," security researchers noted.
The Underground Market for Zero-Days
The exploitation of this vulnerability highlights the thriving underground market for zero-day exploits. In June 2025, before the vulnerability was publicly known, a cybercriminal operating under the alias "zeroplayer" advertised a working WinRAR zero-day exploit for $80,000 on a cybercrime forum.
According to GTIG, zeroplayer has been consistently offering high-priced exploits:
- November 2025: Remote code execution zero-day for Microsoft Office advertised at $300,000
- October 2025: Local privilege escalation exploit for Windows priced at $100,000
- September 2025: Remote code execution zero-day for an unnamed corporate VPN provider (price unspecified)
- September 2025: Zero-day for an unspecified driver that disables antivirus and EDR software for $80,000
The Patch Gap Problem
The widespread exploitation of CVE-2025-8088 underscores a persistent challenge in cybersecurity: the gap between patch availability and actual deployment. Despite WinRAR releasing a fix in July 2025, the vulnerability continues to be actively exploited seven months later, affecting organizations across multiple sectors and geographic regions.
This situation serves as a stark reminder that maintaining up-to-date software is not just a best practice but a critical security requirement in today's threat landscape.
Comments
Please log in or register to join the discussion