Threat Actors Exploit WinRAR Path Traversal Flaw to Gain Persistence
Google Threat Intelligence Group reported broad exploitation of CVE-2025-8088, a critical WinRAR path traversal vulnerability that lets attackers use malicious RAR archives with Windows Alternate Data Streams to write files to arbitrary locations. In observed attacks, the flaw was commonly used to drop payloads into the Windows Startup folder so malware would execute at the next user logon, giving intruders persistence after a victim opened a crafted archive.
The activity has been linked to both state-backed and financially motivated actors, including clusters associated with Russia and China, with targeting focused on military, government, and technology organizations. Exploitation began as early as July 18, 2025, and continued after RARLAB released a fix in WinRAR 7.13 on July 30, 2025, turning the issue into an actively abused n-day vulnerability; defenders were urged to patch quickly, keep archive software updated, and rely on protections such as Safe Browsing and Gmail filtering to block weaponized files.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
GTIG reports broad post-patch exploitation by multiple threat actors
By 2026-01-27, Google Threat Intelligence Group reported that both state-sponsored and financially motivated actors, including clusters linked to Russia and China, were continuing to exploit the n-day vulnerability. The activity was described as widespread and particularly targeted military, government, and technology organizations.
RARLAB patches CVE-2025-8088 in WinRAR 7.13
RARLAB released WinRAR version 7.13 on 2025-07-30 to fix CVE-2025-8088. The patch addressed the critical vulnerability that had already been exploited in the wild.
Threat actors begin exploiting WinRAR flaw CVE-2025-8088
Google Threat Intelligence Group said active exploitation of CVE-2025-8088 began as early as 2025-07-18. The critical path traversal flaw in WinRAR abuses Alternate Data Streams in malicious RAR archives to write payloads to arbitrary locations, often the Windows Startup folder for persistence.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ongoing Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-8088
**Google Threat Intelligence Group (GTIG)** reported ongoing, widening exploitation of a high-severity WinRAR path traversal flaw, **CVE-2025-8088**, roughly six months after it was disclosed and patched by RARLAB. GTIG assessed exploitation began as early as **July 18, 2025** (including activity nearly two weeks before the vendor fix) and has expanded across a diverse set of adversaries, spanning **Russia- and China-linked espionage actors** as well as **financially motivated cybercriminals**. Reported targeting includes military, government, and technology organizations, with multiple Russia-aligned operations focusing on **Ukrainian** entities. Technical reporting indicates the vulnerability abuses **Windows Alternate Data Streams (ADS)** within crafted archives to perform directory traversal and write files to arbitrary locations, including the Windows **Startup** folder for persistence. GTIG and other researchers describe exploit chains where a user opens a benign decoy (e.g., a PDF) while hidden ADS entries extract and drop executable content such as `LNK`, `HTA`, `BAT`, `CMD`, or script files that run at login; observed payloads include **remote access trojans, infostealers**, and malware frameworks used by named state actors (e.g., **RomCom/UNC4895**, **APT44**, **TEMP.Armageddon**, **Turla**) in addition to broader criminal activity across multiple regions.
Jun 29, 2026
Active Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-6218
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the WinRAR path traversal vulnerability, CVE-2025-6218, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This flaw, which affects Windows-based versions of WinRAR prior to version 7.12, allows attackers to execute arbitrary code by tricking users into opening malicious archives or visiting compromised web pages. The vulnerability enables attackers to write files outside intended directories, potentially leading to code execution with the privileges of the current user, and can be exploited to place files in sensitive locations such as the Windows Startup folder. Multiple threat groups, including GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon, have been observed exploiting CVE-2025-6218 in the wild. Attacks have involved phishing emails containing malicious RAR archives, with some campaigns using the vulnerability to establish persistence and deploy trojans on targeted systems. RARLAB addressed the issue in June 2025 with the release of WinRAR 7.12, and users are urged to update to the latest version to mitigate the risk of exploitation. The vulnerability does not affect WinRAR versions for Unix or Android platforms.
Jun 29, 2026
WinRAR Flaw Let Attackers Achieve Code Execution via Malicious Archives
Check Point Research disclosed a **19-year-old vulnerability** in WinRAR that could be exploited to achieve **arbitrary code execution** when a user opened a specially crafted archive. The issue affected WinRAR's handling of the legacy `ACE` archive format through the bundled `UNACEV2.DLL` library, allowing attackers to manipulate file extraction paths and place malicious executables into startup folders or other sensitive locations. The flaw meant a booby-trapped archive could trigger malware execution on the next system reboot or user logon, turning a common archive-opening action into an infection vector. Because WinRAR had an estimated **hundreds of millions of users**, the disclosure highlighted broad exposure and the risk of weaponized archive files in phishing and malware campaigns until users upgraded to a patched version that removed support for the vulnerable `UNACEV2.DLL` component.
Jun 29, 2026