WinRAR CVE-2025-8088: Russia, China, and Cybercriminals Unite to Exploit Path Traversal Flaw

Source: Google Cloud Threat Intelligence

A critical vulnerability in WinRAR has become the weapon of choice for threat actors across the geopolitical spectrum. CVE-2025-8088, a path traversal flaw discovered and patched in July 2025, continues to be actively exploited by Russian and Chinese state-sponsored groups as well as financially motivated cybercriminals—highlighting the persistent danger of n-day vulnerabilities.

The Vulnerability

CVE-2025-8088 is a high-severity path traversal vulnerability that allows attackers to craft malicious RAR archives. When opened by a vulnerable WinRAR version, these archives can write files to arbitrary system locations. The exploit typically targets the Windows Startup folder, ensuring malicious payloads execute automatically upon user login.

The attack chain leverages Windows Alternate Data Streams (ADS) to conceal malicious files within seemingly innocuous documents. While users see a decoy PDF, the archive simultaneously drops malware into critical system directories.

Who’s Exploiting It

Russian-Nexus Actors

Multiple Russian threat groups are consistently targeting Ukrainian military and government entities:

• UNC4895 (RomCom/CIGAR): Deploying NESTPACKER malware through tailored Ukrainian military-themed lures
• APT44 (FROZENBARENTS/Sandworm): Dropping malicious LNK files for further payload delivery
• TEMP.Armageddon (CARPATHIAN): Using HTA downloaders targeting Ukrainian government systems through January 2026
• Turla (SUMMIT): Delivering STOCKSTAY malware with drone operation-themed lures

Chinese-Nexus Actors

PRC-based actors are exploiting the vulnerability to deliver POISONIVY malware via BAT file droppers, demonstrating continued Chinese interest in leveraging proven exploits.

Financially Motivated Actors

Cybercriminal groups have rapidly adopted the exploit:

• Indonesian-targeting campaigns delivering backdoors via Telegram bot C2
• Hospitality sector attacks deploying XWorm and AsyncRAT
• Brazilian banking credential theft through malicious Chrome extensions

The Underground Exploit Economy

The widespread exploitation traces back to threat actors like “zeroplayer,” who advertised a WinRAR exploit in July 2025. This supplier also offers other high-value exploits including:

• Microsoft Office sandbox escape RCE zero-day ($300,000)
• Corporate VPN RCE zero-day (price unspecified)
• Windows LPE zero-day ($100,000)
• AV/EDR bypass zero-day ($80,000)

Key Takeaways

1. Patch Immediately: Update to WinRAR version 7.13 or later
2. N-Days Are Dangerous: Even patched vulnerabilities remain exploitable when organizations delay updates
3. Consistent TTPs: The predictable post-exploitation behavior (Startup folder persistence) provides detection opportunities
4. Blurred Lines: State-sponsored and criminal actors now share the same exploit supply chain

This vulnerability exemplifies how quickly both nation-state and financially motivated actors adopt reliable exploits once they enter the underground marketplace—making timely patching more critical than ever.