Ongoing Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-8088
Google Threat Intelligence Group (GTIG) reported ongoing, widening exploitation of a high-severity WinRAR path traversal flaw, CVE-2025-8088, roughly six months after it was disclosed and patched by RARLAB. GTIG assessed exploitation began as early as July 18, 2025 (including activity nearly two weeks before the vendor fix) and has expanded across a diverse set of adversaries, spanning Russia- and China-linked espionage actors as well as financially motivated cybercriminals. Reported targeting includes military, government, and technology organizations, with multiple Russia-aligned operations focusing on Ukrainian entities.
Technical reporting indicates the vulnerability abuses Windows Alternate Data Streams (ADS) within crafted archives to perform directory traversal and write files to arbitrary locations, including the Windows Startup folder for persistence. GTIG and other researchers describe exploit chains where a user opens a benign decoy (e.g., a PDF) while hidden ADS entries extract and drop executable content such as LNK, HTA, BAT, CMD, or script files that run at login; observed payloads include remote access trojans, infostealers, and malware frameworks used by named state actors (e.g., RomCom/UNC4895, APT44, TEMP.Armageddon, Turla) in addition to broader criminal activity across multiple regions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Researchers warn CVE-2025-6218 is also seeing exploitation attempts
Alongside its reporting on CVE-2025-8088, Google warned in late January 2026 that another WinRAR flaw, CVE-2025-6218, was also facing exploitation attempts by multiple actors. This reinforced concerns about attackers' continued use of patched WinRAR vulnerabilities.
Google reports widespread ongoing exploitation into 2026
In late January 2026, Google Threat Intelligence Group published findings that CVE-2025-8088 was still being actively exploited roughly six months after patching by a mix of nation-state and financially motivated actors. Google also published indicators of compromise and urged organizations to update WinRAR and hunt for related activity.
Underground seller 'zeroplayer' markets WinRAR exploit access
An exploit supplier using the name 'zeroplayer' was reported advertising a WinRAR zero-day/exploit in 2025, with some reports citing a price of $80,000. Researchers assessed this exploit-supply activity helped multiple state and criminal actors obtain and operationalize the capability.
Financially motivated actors adopt the exploit for commodity malware
Multiple criminal groups began using CVE-2025-8088 to distribute commodity RATs, stealers, Telegram bot-controlled backdoors, and phishing tooling. Reported victim sectors and regions included hospitality, banking, Indonesia, South America, and LATAM, including campaigns targeting Brazilian banking users with a malicious Chrome extension.
China-linked actor uses flaw to deliver PoisonIvy
Google linked a PRC-based threat actor to exploitation of CVE-2025-8088 to deploy PoisonIvy, typically via BAT-file-based infection chains. The reporting did not specify an exact date, but places this activity in the post-patch 2025 exploitation wave.
Russian state-linked groups expand use against Ukrainian targets
After the patch, multiple Russia-linked espionage groups including APT44, TEMP.Armageddon, Turla, and RomCom-linked UNC4895 were observed exploiting CVE-2025-8088. Their campaigns focused heavily on Ukrainian military and government entities, delivering malware such as STOCKSTAY and related loaders/backdoors.
ESET publicly discloses the WinRAR vulnerability
In early August 2025, ESET disclosed CVE-2025-8088 and described how malicious RAR archives could write files to arbitrary locations, including Startup folders, leading to code execution at user login. ESET also tied the flaw to in-the-wild exploitation by RomCom.
RARLAB patches CVE-2025-8088 in WinRAR 7.13
RARLAB released WinRAR 7.13, fixing CVE-2025-8088, on 2025-07-30. The update addressed the path traversal issue affecting WinRAR for Windows, but exploitation continued afterward as an n-day vulnerability.
RomCom exploits WinRAR flaw as a zero-day
ESET observed the Russia-aligned RomCom group exploiting CVE-2025-8088 as a zero-day in mid-to-late July 2025, including delivery of SnipBot/NESTPACKER-related payloads via spear-phishing lures. Reports also indicate at least one other criminal group used the flaw around the same period.
Exploitation of CVE-2025-8088 begins in the wild
Google Threat Intelligence Group assessed that exploitation of the WinRAR path traversal flaw CVE-2025-8088 began as early as 2025-07-18. Early attacks used crafted RAR archives abusing Windows Alternate Data Streams and directory traversal to drop payloads, often into the Windows Startup folder for persistence.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
WinRAR exploit reportedly remains widely-used by China and Russia state actors despite patch - vulnerability allows malicious archives to deliver a hidden payload to Windows Startup folder | Tom's Hardware
tomshardware.com
Open sourceNation-state and criminal actors leverage WinRAR flaw in attacks
securityaffairs.com
Open sourceNation-State Hackers Weaponize Patched WinRAR Flaw
thecyberexpress.com
Open sourceThe "Zeroplayer" Arsenal: WinRAR Flaw CVE-2025-8088 Weaponized by Spies
securityonline.info
Open sourceGoogle Warns of WinRAR Vulnerability Exploited to Gain Control Over Windows System
cybersecuritynews.com
Open sourceMonths After Patch, WinRAR Bug Poised to Hit SMBs Hardest
darkreading.com
Open sourceCybercriminals and nation-state groups are exploiting a six-month old WinRAR defect | CyberScoop
cyberscoop.com
Open sourceWinRAR path traversal flaw still exploited by numerous hackers
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Exploit WinRAR Path Traversal Flaw to Gain Persistence
Google Threat Intelligence Group reported broad exploitation of **CVE-2025-8088**, a critical WinRAR path traversal vulnerability that lets attackers use malicious RAR archives with Windows Alternate Data Streams to write files to arbitrary locations. In observed attacks, the flaw was commonly used to drop payloads into the Windows Startup folder so malware would execute at the next user logon, giving intruders persistence after a victim opened a crafted archive. The activity has been linked to both state-backed and financially motivated actors, including clusters associated with Russia and China, with targeting focused on military, government, and technology organizations. Exploitation began as early as July 18, 2025, and continued after RARLAB released a fix in **WinRAR 7.13** on July 30, 2025, turning the issue into an actively abused n-day vulnerability; defenders were urged to patch quickly, keep archive software updated, and rely on protections such as Safe Browsing and Gmail filtering to block weaponized files.
Jun 29, 2026
Active Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-6218
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the WinRAR path traversal vulnerability, CVE-2025-6218, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This flaw, which affects Windows-based versions of WinRAR prior to version 7.12, allows attackers to execute arbitrary code by tricking users into opening malicious archives or visiting compromised web pages. The vulnerability enables attackers to write files outside intended directories, potentially leading to code execution with the privileges of the current user, and can be exploited to place files in sensitive locations such as the Windows Startup folder. Multiple threat groups, including GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon, have been observed exploiting CVE-2025-6218 in the wild. Attacks have involved phishing emails containing malicious RAR archives, with some campaigns using the vulnerability to establish persistence and deploy trojans on targeted systems. RARLAB addressed the issue in June 2025 with the release of WinRAR 7.12, and users are urged to update to the latest version to mitigate the risk of exploitation. The vulnerability does not affect WinRAR versions for Unix or Android platforms.
Jun 29, 2026
WinRAR Flaw Let Attackers Achieve Code Execution via Malicious Archives
Check Point Research disclosed a **19-year-old vulnerability** in WinRAR that could be exploited to achieve **arbitrary code execution** when a user opened a specially crafted archive. The issue affected WinRAR's handling of the legacy `ACE` archive format through the bundled `UNACEV2.DLL` library, allowing attackers to manipulate file extraction paths and place malicious executables into startup folders or other sensitive locations. The flaw meant a booby-trapped archive could trigger malware execution on the next system reboot or user logon, turning a common archive-opening action into an infection vector. Because WinRAR had an estimated **hundreds of millions of users**, the disclosure highlighted broad exposure and the risk of weaponized archive files in phishing and malware campaigns until users upgraded to a patched version that removed support for the vulnerable `UNACEV2.DLL` component.
Jun 29, 2026