WinRAR Vulnerability CVE-2025-8088 – Active Exploitation

January 28, 2026 Faeem BLOGS 0

Google’s Threat Intelligence Group (GTIG) has issued a warning that multiple threat actors, including nation-state groups and financially motivated cybercriminals, are actively exploiting CVE-2025-8088, a critical WinRAR flaw patched in July 2025.

Vulnerability Overview

  • CVE ID: CVE-2025-8088
  • Severity: CVSS 8.8 (Critical)
  • Component: RARLAB WinRAR (pre-7.13 versions).
  • Flaw type: Path traversal vulnerability.
  • Impact: Allows attackers to drop malicious files into the Windows Startup folder, enabling persistence and arbitrary code execution.
  • Patch: WinRAR 7.13 (released July 30, 2025).

Exploitation in the Wild

  • RomCom (UNC4895 / CIGAR): Used the flaw as a zero-day in July 2025 to deliver SnipBot (NESTPACKER) malware.
  • Sandworm (APT44): Dropped decoy files with Ukrainian filenames + malicious LNK downloaders.
  • Gamaredon (CARPATHIAN): Targeted Ukrainian government agencies with RAR archives containing HTA downloaders.
  • Turla (SUMMIT): Delivered STOCKSTAY malware using military/drone-themed lures.
  • China-based actor: Weaponized CVE-2025-8088 to deliver Poison Ivy via batch scripts.
  • Financially motivated groups: Deployed commodity malware like AsyncRAT and XWorm, including Telegram bot-controlled backdoors.
  • Brazilian cybercrime group: Delivered malicious Chrome extensions to inject phishing JavaScript into banking sites.

Attack Techniques

  • Malicious files concealed in alternate data streams (ADS) of decoy files.
  • Payloads extracted into Windows Startup folder → auto-execution after reboot.
  • Use of batch scripts, LNK files, HTA files, and steganography for delivery.
  • Exploits commoditized in underground markets – sold for thousands of dollars by suppliers like zeroplayer.

Related Vulnerability

  • CVE-2025-6218 (CVSS 7.8): Another WinRAR flaw also exploited by groups like GOFFEE, Bitter, and Gamaredon, showing the persistent risk of N-day vulnerabilities.

Defensive Recommendations

  • Patch immediately: Upgrade to WinRAR 7.13 or later.
  • User awareness: Train users to avoid opening suspicious archive files.
  • Endpoint monitoring: Detect abnormal file drops in Startup folders.
  • Network defense: Watch for outbound traffic linked to RATs and infostealers.
  • Threat hunting: Look for ADS usage and suspicious LNK/HTA activity.

Takeaway

CVE-2025-8088 demonstrates how N-day vulnerabilities remain highly valuable to both espionage and financially motivated actors. The commoditization of WinRAR exploits lowers the barrier for diverse threat groups, making patching and proactive monitoring essential.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.