Google’s Threat Intelligence Group (GTIG) reports that CVE-2025-8088, a critical WinRAR vulnerability patched in July 2025, continues to be heavily exploited by nation-state actors and cybercriminals through January 2026. The flaw’s combination of trivial exploitation and WinRAR’s lack of automatic updates makes it an enduring threat.
Vulnerability overview
| Field | Value |
|---|
| CVE | CVE-2025-8088 |
| CVSS | 8.8 (High) |
| Type | Path Traversal via Alternate Data Streams |
| Affected Versions | WinRAR 7.12 and earlier |
| Fixed Version | WinRAR 7.13 (July 30, 2025) |
| Related CVE | CVE-2025-6218 (similar flaw, disclosed June 19, 2025) |
| Zero-day exploitation | Confirmed before public disclosure |
Exploitation timeline
| Date | Event |
|---|
| June 2025 | ”zeroplayer” advertises WinRAR zero-day for $80,000 on criminal forum |
| June 19, 2025 | CVE-2025-6218 (similar path traversal) disclosed |
| July 30, 2025 | RARLAB releases WinRAR 7.13 with fixes for both CVEs |
| August 2025 | RomCom observed exploiting as zero-day before patch |
| October 2025 | APT44 campaigns targeting Ukrainian military |
| January 2026 | GTIG publishes comprehensive exploitation report |
| February 2026 | Multiple threat actor groups still actively exploiting |
How it works
CVE-2025-8088 abuses Windows Alternate Data Streams (ADS), a feature that allows files to contain multiple data streams. Attackers craft malicious RAR archives that:
- Display a benign decoy file (typically a PDF) to the user
- Silently write malware to arbitrary locations via path traversal
- Target the Windows Startup folder for automatic persistence
Technical mechanism
| Phase | Action |
|---|
| 1 | Victim receives RAR archive with decoy document |
| 2 | Archive contains hidden ADS entries with malicious payload |
| 3 | Path traversal sequence escapes extraction directory |
| 4 | Malicious LNK/HTA/BAT file dropped to Startup folder |
| 5 | Windows executes malware on next login |
Example path traversal:
../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.lnk
When the victim extracts and opens what appears to be a harmless document, the malware simultaneously drops into the Startup folder. The next time Windows boots, the malware executes automatically.
Why ADS is effective
| Factor | Impact |
|---|
| Hidden from Explorer | ADS content not visible in standard file listings |
| Legitimate feature | Security tools may not flag ADS usage |
| Decoy distraction | User focuses on visible document, not hidden payload |
| Silent persistence | No visible installation or user prompt |
Threat actors exploiting CVE-2025-8088
Russian-nexus APTs
| Actor | Also Known As | Targets | Payload | Status |
|---|
| APT44 | Sandworm, FROZENBARENTS | Ukrainian military | LNK files downloading additional malware | Active into 2026 |
| Turla | Snake, Waterbug, SUMMIT | Ukrainian defense entities | STOCKSTAY malware suite | Active |
| TEMP.Armageddon | Gamaredon, CARPATHIAN | Ukrainian government | HTA downloaders in Startup folders | Ongoing into 2026 |
| RomCom | — | European organizations | NESTPACKER loader | Zero-day exploitation pre-patch |
APT44 drops decoy files with Ukrainian filenames alongside malicious LNK files that download additional payloads. Turla campaigns use lures related to Ukrainian military activities and drone deployments.
Chinese APT
An unnamed PRC-based group exploits CVE-2025-8088 to deliver PoisonIvy, a well-known Remote Access Trojan:
| Phase | Action |
|---|
| 1 | Victim opens malicious RAR archive |
| 2 | BAT file dropped into Startup folder via ADS path traversal |
| 3 | BAT file downloads malware dropper on next boot |
| 4 | PoisonIvy RAT installed for persistent access |
Cybercrime groups
Financially motivated actors are exploiting the vulnerability globally:
| Region | Target | Payload |
|---|
| Indonesia | Various sectors | Commodity RATs |
| Latin America | Hospitality and travel organizations | XWorm, AsyncRAT |
| Brazil | Online banking users | Banking trojans |
| Global | General targets | Various commodity malware |
Exploit market activity
Before the vulnerability was publicly known, a criminal using the handle “zeroplayer” advertised a working WinRAR zero-day exploit for $80,000 on a cybercrime forum in June 2025.
Zeroplayer’s exploit offerings
| Exploit | Price | Date |
|---|
| WinRAR zero-day (CVE-2025-8088) | $80,000 | June 2025 |
| Microsoft Office RCE zero-day | $300,000 | November 2025 |
| Windows local privilege escalation zero-day | $100,000 | Recent |
The existence of a pre-patch market for this exploit confirms it was being used in targeted attacks before RARLAB released the fix. The continued availability of high-priced exploits from this seller indicates an established customer base.
Why exploitation persists
WinRAR lacks automatic updates. Users must manually download and install new versions. This creates a persistent population of vulnerable installations:
| Factor | Impact |
|---|
| No auto-update mechanism | Users must manually check and install |
| Application continues working | No functional indicator of vulnerability |
| Enterprise deployment lag | IT departments slow to push updates |
| User unawareness | Many don’t know updates exist |
| Seven months post-patch | Vast numbers remain exposed |
Patch adoption challenge
| Timeframe | Estimated vulnerable population |
|---|
| Patch day (July 30, 2025) | ~100% of installations |
| 3 months post-patch | Majority still vulnerable |
| 7 months post-patch (February 2026) | Significant vulnerable population remains |
Indicators of compromise
File-based indicators
| Indicator | Description |
|---|
RAR files with ../ sequences | Path traversal in archive |
| ADS content in extracted files | Hidden payload delivery |
| New files in Startup folder | Persistence mechanism |
| LNK, HTA, BAT files after extraction | Common payload types |
Behavioral indicators
| Indicator | Detection method |
|---|
| Archive extraction followed by Startup folder write | File system monitoring |
| Script execution from Startup folder after document open | Process monitoring |
| Outbound connections following archive extraction | Network monitoring |
| New scheduled tasks or registry persistence | Persistence monitoring |
Mitigation
| Priority | Action |
|---|
| Critical | Upgrade WinRAR to 7.13 or later from rarlab.com |
| Critical | Also addresses CVE-2025-6218 in same version |
| High | Audit systems for IOCs listed above |
| High | Review Startup folder contents across fleet |
Defense in depth
| Control | Purpose |
|---|
| Application allowlisting | Prevent execution from Startup folder |
| Startup folder monitoring | Detect new LNK, HTA, BAT, script files |
| ADS restrictions via Group Policy | Reduce ADS abuse potential |
| EDR/XDR | Detect path traversal and persistence patterns |
| Email attachment scanning | Block malicious RAR archives at gateway |
Enterprise deployment considerations
| Consideration | Recommendation |
|---|
| Manual update burden | Consider automated deployment tools |
| Version tracking | Inventory WinRAR versions across organization |
| Alternative archivers | Evaluate 7-Zip or native Windows extraction |
| Policy enforcement | Block execution of scripts from Startup folders |
Detection guidance
| Detection rule | Purpose |
|---|
| RAR extraction with ADS writes | Catch payload delivery |
| New executables in Startup folder | Detect persistence |
| LNK file creation after Office/archive open | Identify attack chain |
| Path traversal sequences in archives | Block before extraction |
Recommendations
For security teams
| Priority | Action |
|---|
| Critical | Push WinRAR 7.13+ to all managed systems |
| High | Monitor for Startup folder modifications |
| High | Block ADS usage where not business-required |
| Medium | Consider removing WinRAR in favor of built-in extraction |
| Ongoing | Track threat intelligence on CVE-2025-8088 campaigns |
For end users
| Priority | Action |
|---|
| Critical | Update WinRAR to latest version manually |
| High | Be suspicious of unexpected archive attachments |
| High | Avoid opening archives from unknown senders |
| Medium | Consider alternative archive tools with auto-update |
Context
CVE-2025-8088 demonstrates how a single vulnerability in widely-deployed software becomes a shared resource for diverse threat actors. Nation-states use it for espionage, cybercriminals use it for financial theft, and both benefit from the patching gap created by manual update requirements.
The vulnerability chain—ADS abuse, path traversal, Startup folder persistence—is elegant in its simplicity and devastating in its effectiveness. Seven months after the patch, exploitation continues unabated.
Organizations should treat WinRAR updates with the same urgency as operating system patches—and consider whether WinRAR’s update model is acceptable for enterprise deployment. The lack of automatic updates in 2026 is a significant security liability.
