Hackers Exploit WinRAR Vulnerability for Malicious Attacks

A critical vulnerability in the popular file compression software WinRAR, identified as CVE-2025-8088, is currently being exploited by various threat actors. This includes both state-sponsored groups and financially motivated cybercriminals who are using the flaw to gain initial access to systems and deliver malicious payloads. The vulnerability, categorized as a high-severity path traversal flaw, allows attackers to leverage Alternate Data Streams (ADS) to write harmful files to arbitrary locations on affected systems.

Research conducted by cybersecurity firm ESET uncovered this vulnerability, and reports indicate that exploitation began as early as July 18, 2025. In early August 2025, researchers revealed that the Russian-aligned group known as RomCom was utilizing this flaw in zero-day attacks. The Google Threat Intelligence Group (GTIG) has since confirmed that exploitation continues unabated, with both state-backed espionage actors and lower-tier cybercriminals targeting vulnerable systems.

According to the GTIG report, the exploit mechanism often conceals malicious files within the ADS of a decoy file inside an archive. While a user may see a seemingly harmless document, such as a PDF, within the archive, there are also hidden ADS entries. Some of these contain active payloads, while others are mere dummy data. Once the user opens the file, WinRAR extracts the ADS payload through directory traversal, which can lead to the creation of various types of files, including LNK, HTA, BAT, CMD, or other scripts that execute upon user login.

In addition to state-sponsored actors, the report indicates that financially motivated individuals are also capitalizing on this flaw to distribute commodity remote access tools and information stealers. Notable examples include XWorm and AsyncRAT, along with Telegram bot-controlled backdoors and malicious banking extensions for the Chrome browser. Many of these threat actors are believed to have acquired effective exploits from specialized suppliers. One such supplier, known by the alias “zeroplayer,” advertised a WinRAR exploit in July 2025. This individual has also marketed multiple high-value exploits, including alleged zero-days for Microsoft Office and corporate VPN vulnerabilities, with prices ranging from $80,000 to $300,000.

The trend towards the commoditization of exploit development has been noted by Google. This phenomenon reduces the complexity and friction for attackers, enabling them to target unpatched systems swiftly. Such developments highlight the ongoing challenges in cybersecurity and the need for robust defenses against emerging threats. As these vulnerabilities continue to be exploited, both users and organizations are urged to remain vigilant and apply necessary security updates promptly.