Six months after a critical WinRAR vulnerability was patched, hackers from Russia, China, and cybercrime groups continue to exploit it—turning a fixed security flaw into one of 2025's most abused attack vectors.
Google's Threat Intelligence Group revealed today that CVE-2025-8088, a path traversal vulnerability in the popular Windows file archiver, remains under active exploitation by at least seven distinct threat actors despite RARLAB releasing a patch back in July 2025.
The attackers' playbook is deceptively simple but devastatingly effective. By weaponising Alternate Data Streams (ADS)—a legitimate Windows feature for storing metadata—hackers hide malicious payloads inside what appear to be innocent RAR archives. When victims extract these files, the malware silently drops into Windows Startup folders, ensuring persistence across reboots without raising suspicion.
The Underground Marketplace Fueling Attacks
What makes this exploitation pattern particularly alarming is how threat actors acquired their attack tools. According to Google's analysis, an exploit broker known as "zeroplayer" advertised a working WinRAR exploit in July 2025—potentially the very exploit now circulating among state-sponsored and criminal groups.
Zeroplayer's catalogue reads like a cybersecurity nightmare: a Microsoft Office sandbox escape for $300,000, corporate VPN exploits, and Windows privilege escalation tools ranging from $80,000 to $300,000. This commoditization of exploits means sophisticated attacks are no longer exclusive to well-resourced nation-states.
Who's Exploiting and Why
Russian espionage groups dominate the exploitation landscape. UNC4895 (also known as RomCom) targets Ukrainian military units with NESTPACKER malware through spearphishing campaigns featuring geopolitically themed lures. APT44, another Russia-nexus group, deploys malicious LNK files alongside Ukrainian-language decoys. TEMP.Armageddon has maintained operations through January 2026, dropping HTA downloaders into Startup folders.
Even notorious espionage group Turla has adopted the exploit, delivering their STOCKSTAY malware suite using Ukrainian military and drone operation themes.
China-linked actors aren't sitting idle either. Google observed PRC-based groups deploying POISONIVY malware through BAT files that drop into Startup folders before downloading additional payloads.
On the cybercrime front, financially motivated groups have weaponised CVE-2025-8088 to distribute commodity remote access tools (RATs) like XWorm and AsyncRAT. One Indonesian-focused group uses Telegram bot-controlled backdoors, while Latin American campaigns leverage hotel booking lures to compromise hospitality targets. Brazilian banking customers face malicious Chrome extensions that inject credential-stealing JavaScript into legitimate banking sites.
The Pattern That Should Worry Everyone
This isn't WinRAR's first rodeo with widespread exploitation. In 2023, CVE-2023-38831—another WinRAR vulnerability—saw similarly extensive abuse across state-sponsored and criminal operations. The parallel raises uncomfortable questions about defensive strategies when patches exist, but adoption lags.
"The consistent exploitation method underscores a defensive gap in fundamental application security and user awareness," Google's Threat Intelligence Group noted. Their data shows exploitation began as early as July 18, 2025—twelve days before RARLAB released version 7.13 with the fix.
What Organisations Must Do Now
The path forward requires immediate action on multiple fronts. Organisations must audit their environments for WinRAR versions prior to 7.13 and update immediately. But version checking isn't enough—any software using UnRAR.dll components needs updating too.
Google recommends enabling Google Safe Browsing and Gmail's built-in protections, which actively identify and block files containing the exploit. Network defenders should hunt for indicators of compromise using Google's published IOC collection, focusing on suspicious .lnk, .hta, .bat, and .cmd files appearing in Windows Startup directories.
The brutal reality is that once a reliable exploit enters the underground marketplace, the clock starts ticking for defenders. With over 500 million WinRAR users worldwide, the attack surface remains vast—and the threat actors are counting on slow patch adoption to maintain their access.
As zeroplayer's expanding exploit portfolio demonstrates, the underground economy for security vulnerabilities is thriving. Until organisations treat patching with the urgency it demands, these n-day exploits will continue bridging the gap between nation-state capabilities and everyday cybercrime.
Affected Systems: WinRAR versions prior to 7.13, UnRAR.dll components
Fix Available: Update to WinRAR 7.13 or later
CVSS Score: 8.4 (High severity)
IOCs: Available through Google Threat Intelligence Collection for registered users