MULTIPLE threat actors, including nation-state and financially motivated groups, exploited a now-patched WinRAR flaw to gain initial access and deliver a range of payloads. According to Google Threat Intelligence Group (GTIG), the vulnerability CVE-2025-8088, a directory traversal bug fixed in version 7.13, was used in spear-phishing attacks to install RomCom backdoors and other malware.
Researchers from ESET reported that attackers could craft archives to place executables in Windows Startup folders, enabling remote code execution when users logged in. The article notes that government-backed actors linked to Russia and China, alongside criminals, continued to exploit this n-day even after the patch became available, with Russian-linked groups focusing on Ukraine and Chinese groups abusing the flaw to deploy tools such as POISONIVY.
Cybercriminals also used the flaw to distribute commodity RATs and phishing tools against various sectors, with activity extending into early 2026. The report highlights the exploit market surrounding CVE-2025-8088, where actors like zeroplayer advertised zero-days and related capabilities for sale, underscoring how widely adopted and durable such flaws remain.