Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.
“Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” the Google Threat Intelligence Group (GTIG) said.
“The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.”
The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025. Successful exploitation of the flaw could allow an attacker to obtain arbitrary code execution by crafting malicious archive files that are opened by a vulnerable version of the program.
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
It’s worth noting that Google is tracking the threat cluster behind the deployment of Cuba Ransomware, which is also known to use RomCom RAT, under the moniker UNC2596. Reports indicate potential connections between the operators of UNC2596, UNC4895, and a data extortion marketplace called Industrial Spy.
Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.
Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below –
- Sandworm (aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads
- Gamaredon (aka CARPATHIAN), which has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage
- Turla (aka SUMMIT), which has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centred around Ukrainian military activities and drone operations
GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder that’s then configured to download a dropper.
“Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets,” it added. Some of these attacks have led to the deployment of Telegram bot-controlled backdoors and malware families like AsyncRAT and XWorm.
In another case highlighted by Google’s threat intelligence team, a cybercrime group known for targeting Brazilian users via banking websites is said to have delivered a malicious Chrome extension that’s capable of injecting JavaScript into the pages of two Brazilian banking sites to serve phishing content and steal credentials.
The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars. One such supplier, “zeroplayer,” marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.
“Zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle,” GTIG said. “By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations […] to leverage a diverse set of capabilities.”
The development comes as another WinRAR vulnerability (CVE-2025-6218, CVSS score: 7.8) has also witnessed exploitation efforts from multiple threat actors, including GOFFEE, Bitter, and Gamaredon, underscoring the threat posed by N-day vulnerabilities.
