Google revealed on Tuesday that multiple threat actors, including state adversaries and financially motivated groups, are exploiting critical patched security flaws in RARLAB WinRAR to gain initial access and deploy various payloads.
“Although discovered and patched in July 2025, government-sponsored and financially motivated actors associated with Russia and China continue to exploit this n-day across disparate operations,” Google Threat Intelligence Group (GTIG) said in a statement.
“The consistent exploit method, a path traversal flaw that allows files to be dropped into the Windows startup folder for persistence, highlights defense gaps in basic application security and user awareness.”
The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8) and was patched in WinRAR version 7.13 released on July 30, 2025. Successful exploitation of this flaw could allow an attacker to execute arbitrary code by creating a malicious archive file that is opened by a vulnerable version of the program.
ESET, which discovered and reported this security flaw, said it observed that a dual-threat financial and espionage group known as RomCom (also known as CIGAR or UNC4895) exploited this flaw as a zero-day on July 18, 2025 to distribute a variant of the SnipBot (also known as NESTPACKER) malware. It is worth noting that Google is tracking a threat cluster behind Cuba Ransomware deployments with the name UNC2596.
Since then, this vulnerability has been widely exploited, with attack chains typically hiding a malicious file such as a Windows Shortcut (LNK) within the Alternative Data Stream (ADS) of a decoy file within an archive, causing the payload to be extracted to a specific path (such as the Windows startup folder), and automatically executed when the user logs into the machine after a reboot.
Some of the other Russian threat actors that have joined the exploit trend include:
Sandworm (also known as APT44 and FROZENBARENTS) takes advantage of this flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that it attempts to download further. Gamaredon (aka CARPATHIAN) exploits this flaw to attack Ukrainian government agencies with malicious RAR archives containing HTML application (HTA) files that act as downloaders for the second stage of Turla (aka SUMMIT). STOCKSTAY malware suite uses lures focused on Ukrainian military and drone operations
GTIG also announced that it has identified a China-based attacker who weaponized CVE-2025-8088 and delivered Poison Ivy via a batch script dropped into the Windows startup folder. This batch script is configured to download the dropper.
“Financially motivated attackers also quickly exploited this vulnerability to deploy commodity RATs and information theft methods against commercial targets,” the report added. Some of these attacks led to the introduction of Telegram bot control backdoors and malware families such as AsyncRAT and XWorm.
In another incident highlighted by Google’s threat intelligence team, a cybercriminal group known for targeting users in Brazil via banking websites allegedly distributed a malicious Chrome extension that could inject JavaScript into pages on two Brazilian banking sites to serve phishing content and steal credentials.
Widespread exploitation of this flaw is assessed to be the result of a thriving underground economy, with WinRAR exploits being advertised for thousands of dollars. One such supplier, ‘zeroplayer’, sold the WinRAR exploit around the same time in the weeks leading up to the publication of CVE-2025-8088.
“Zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle,” GTIG said. “By providing out-of-the-box functionality, attackers such as zeroplayer reduce the technical complexity and resource demands on threat actors, allowing groups with diverse motivations to participate. […] This is to take advantage of various functions. ”
This development comes as another WinRAR vulnerability (CVE-2025-6218, CVSS score: 7.8) has also seen exploitation by multiple threat actors including GOFFEE, Bitter, and Gamaredon, highlighting the threat posed by the N-day vulnerability.
Source link
