Multiple state-sponsored threat actors and cybercrime groups have been exploiting a WinRAR vulnerability in attacks over the past six months, Google Threat Intelligence Group (GTIG) warns.
Tracked as CVE-2025-8088, the high-severity bug was patched on July 30, after being exploited in the wild as a zero-day by the Russia-linked hacking group named RomCom (also known as Storm-0978, Tropical Scorpius, and UNC2596).
The issue is described as a path traversal flaw in WinRAR for Windows that can be abused for arbitrary code execution using crafted archive files.
According to GTIG, APTs and cybercrime groups have exploited the security defect via malicious files hidden within the Alternate Data Streams (ADS) of a decoy file inside an archive.
“Adversaries can craft malicious RAR archives which, when opened by a vulnerable version of WinRAR, can write files to arbitrary locations on the system,” GTIG explains.
The malicious payloads contain a specially crafted path designed to traverse to a specific directory, typically the startup folder, for persistence. Thus, when the archive is opened, the content is written to the system and will be executed when the user logs in.
“Government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” GTIG says.
The state-sponsored APTs were seen exploiting the CVE in attacks targeting government, military, and technology entities.
GTIG tied the observed attacks to the Russia-linked APTs RomCom, Sandworm (aka APT44, BlackEnergy Lite, and Seashell Blizzard), Armageddon (aka Aqua Blizzard, Callisto, Gamaredon, Primitive Bear, and UNC530), and Turla (aka Krypton, Snake, Venomous Bear, and Waterbug).
The attacks, GTIG says, targeted various entities in Ukraine, including military units. The most recent attacks were observed in January 2026.
Additionally, GTIG observed a Chinese state-sponsored APT exploiting the WinRAR vulnerability to deploy the PoisonIvy malware.
Exploitation by cybercrime groups
The abuse of CVE-2025-8088 by financially motivated cybercriminals has been diverse and spread globally, GTIG says.
The bug has been exploited by miscreants to target entities in Indonesia, hospitality and travel organizations worldwide (with a focus on Latin America), online banking users in Brazil, and for the distribution of various malware families, including commodity RATs.
“The widespread use of CVE-2025-8088 by diverse actors highlights the demand for effective exploits. This demand is met by the underground economy where individuals and groups specialize in developing and selling exploits to a range of customers,” GTIG notes.
One of the threat actors advertising a WinRAR exploit since July 2025, who uses the moniker ‘zeroplayer’, was also seen offering Office, VPN, and Windows zero-days.
“By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations—from ransomware deployment to state-sponsored intelligence gathering—to leverage a diverse set of capabilities,” GTIG notes.
Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
Related: Organizations Warned of Exploited Linux Vulnerabilities
Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing
Related: Over 100 Organizations Targeted in ShinyHunters Phishing Campaign
