Key Takeaways
- Multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a patched critical security flaw in RARLAB WinRAR.
- The vulnerability, CVE-2025-8088, allows attackers to obtain arbitrary code execution and deploy various payloads.
- Threat actors, including those linked to Russia and China, are exploiting the flaw to establish initial access and deploy malware.
- The exploitation of the flaw is often done by concealing malicious files within alternate data streams of a decoy file inside an archive.
- The vulnerability has been exploited by various threat actors, including Sandworm, Gamaredon, Turla, and a China-based actor, to deliver malware and steal sensitive information.
Introduction to the Vulnerability
The Google Threat Intelligence Group (GTIG) has revealed that multiple threat actors are exploiting a critical security flaw in RARLAB WinRAR, a popular file archiving software. The vulnerability, CVE-2025-8088, was discovered and patched in July 2025, but despite the patch, threat actors continue to exploit it to establish initial access and deploy a diverse array of payloads. The flaw allows attackers to obtain arbitrary code execution by crafting malicious archive files that are opened by a vulnerable version of the program.
Exploitation Methods
The exploitation of the flaw typically involves concealing a malicious file, such as a Windows shortcut (LNK), within the alternate data streams (ADS) of a decoy file inside the archive. This causes the payload to be extracted to a specific path, such as the Windows Startup folder, and automatically executes it once the user logs in to the machine after a restart. This method allows threat actors to bypass security measures and gain persistent access to the compromised system. Various threat actors, including those linked to Russia and China, have been exploiting the flaw to deliver malware and steal sensitive information.
Threat Actors Exploiting the Vulnerability
Several threat actors have been identified as exploiting the vulnerability, including Sandworm, Gamaredon, Turla, and a China-based actor. Sandworm has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads. Gamaredon has used the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage. Turla has delivered the STOCKSTAY malware suite using lures centered around Ukrainian military activities and drone operations. A China-based actor has also been identified as weaponizing CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder.
Financially Motivated Threat Actors
Financially motivated threat actors have also adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets. Some of these attacks have led to the deployment of Telegram bot-controlled backdoors and malware families like AsyncRAT and XWorm. In another case, a cybercrime group known for targeting Brazilian users via banking websites has delivered a malicious Chrome extension that’s capable of injecting JavaScript into the pages of two Brazilian banking sites to serve phishing content and steal credentials.
Underground Economy and Exploit Markets
The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars. One such supplier, "zeroplayer," marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088. This highlights the continued commoditization of the attack lifecycle, where actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations to leverage a diverse set of capabilities.
Conclusion and Recommendations
The exploitation of the WinRAR vulnerability CVE-2025-8088 by multiple threat actors highlights the importance of keeping software up to date and patching vulnerabilities in a timely manner. Users and organizations should ensure that they are running the latest version of WinRAR and other software to prevent exploitation of this and other vulnerabilities. Additionally, users should be cautious when opening archive files from unknown sources and should use security software to scan for malware and other threats. By taking these steps, users and organizations can reduce the risk of exploitation and protect themselves against the diverse array of threats posed by this vulnerability.
