SECURITYWEEK reports that CVE-2025-8088, a high-severity path traversal vulnerability in WinRAR for Windows, has been widely exploited by multiple state-sponsored actors and cybercrime groups in attacks over the past six months. The flaw, which can allow arbitrary code execution via crafted archive files, was patched on 30 July 2025 after being used as a zero-day in the wild by the Russia-linked RomCom group (also known as Storm-0978, Tropical Scorpius, and UNC2596).
According to GTIG, attacks have involved malicious files hidden within the Alternate Data Streams of a decoy file inside an archive, enabling payloads to write to arbitrary locations and execute on user login. GTIG notes that government, military and technology entities in Ukraine were targeted by Russia- and China-linked APTs, with the most recent observed attacks in January 2026, and that a Chinese state-sponsored APT has also deployed PoisonIvy using the flaw.
The broader exploitation by financially motivated groups has been global, targeting Indonesia, hospitality and travel sectors, Latin American-focused online banking users, and distributing various malware families, with actors such as ‘zeroplayer’ offering ready-to-use exploits.