ACCORDING to the Google Threat Intelligence Group, multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched WinRAR vulnerability, CVE-2025-8088, to establish initial access and deploy a range of payloads. The flaw, a path traversal weakness, was patched in WinRAR version 7.13 released on 30 July 2025, and successful exploitation could allow arbitrary code execution when a vulnerable archive is opened.
ESET reported that RomCom (aka CIGAR or UNC4895), a dual financial and espionage-motivated group, used the vulnerability as a zero-day as far back as 18 July 2025 to deliver a SnipBot variant. GTIG notes that cybercriminals have weaponised CVE-2025-8088 across various operations, with attackers sometimes concealing the malicious file in an LNK within the archive’s ADS to drop payloads in the Windows Startup folder.
The report also highlights other threat actors, including Sandworm, Gamaredon and Turla, and mentions a China-based actor delivering Poison Ivy via a startup-folder dropper, underscoring the broad exploitation of this N-day and the ongoing commoditisation of_winRAR exploits by groups such as zeroplayer.