ACCORDING to GTIG, a critical vulnerability in WinRAR, tracked as CVE-2025-8088, has become a widely used weapon by government spies and cybercriminals, with exploitation still observed months after a patch was released. The flaw is a path traversal vulnerability that exploits Alternate Data Streams to hide malicious code inside a decoy file within a modified RAR archive, triggering when the user opens it and writing a payload that often targets the Windows Startup folder for persistence.
GTIG’s investigation lists Russia-nexus actors such as UNC4895 (RomCom), APT44, and Turla as repeatedly exploiting CVE-2025-8088 to target Ukrainian military and government entities, while a PRC-based actor was seen delivering POISONIVY via a batch file dropped into the Startup folder; financially motivated groups have also used the bug to deliver XWorm and AsyncRAT in Latin America and Brazil.
The campaign landscape is supported by zeroplayer, described as a threat actor supplying high-end vulnerabilities and exploits, including items priced at $300,000 and $100,000, with further examples of an $80,000 tool capable of disabling antivirus and EDR software. WinRAR was updated to version 7.13 on 30 July 2025 to address the vulnerability, yet many organisations remain behind on patches, enabling continued exploitation by n-days.