The Persistence of WinRAR: Google Warns of Widespread CVE-2025-8088 Attacks

The Google Threat Intelligence Group (GTIG) has disclosed the extensive exploitation of a critical vulnerability, designated CVE-2025-8088, residing within the ubiquitous WinRAR archiving utility. Although the defect was remediated in the summer of 2025, adversaries persist in weaponizing it globally, integrating the flaw into both financially motivated incursions and state-sponsored espionage operations.

The crux of the issue is a path traversal anomaly, which empowers an attacker to deposit files into arbitrary Windows directories—most notably the Startup folder—via meticulously crafted RAR archives. This maneuver leverages Alternative Data Streams (ADS) to conceal a malicious payload within a seemingly benign document, such as a PDF. Upon the simple act of opening the archive, the surreptitious object is silently committed to a system directory, ensuring its automatic execution during the subsequent user login and facilitating persistent access to the host environment.

Forensic telemetry from GTIG indicates that exploitation of CVE-2025-8088 commenced as early as July 18, 2025. While RARLAB disseminated a patch on July 30 with the release of WinRAR version 7.13, the sluggish cadence of software updates among users and enterprises has rendered this vulnerability a perennial favorite for widespread offensives.

These campaigns typically manifest as phishing dispatches, utilizing archives containing geopolitical lures alongside malicious shortcuts, scripts, and HTA files designed to retrieve auxiliary components. Such operations have been observed deploying malware families like NESTPACKER and STOCKSTAY, in addition to various reconnaissance and remote administration tools.

The vulnerability is being exploited by a diverse array of actors, ranging from state-aligned syndicates to private mercenary hackers. Documented incursions have targeted organizations in Indonesia, Latin America, and Brazil, where WinRAR serves as a conduit for Remote Access Trojans (RATs), infostealers, backdoors, and even deleterious Chrome extensions engineered to inject phishing scripts into financial portals.

A significant portion of the GTIG report highlights the flourishing underground exploit market. Analysts have identified a prominent actor operating under the pseudonym zeroplayer, who, since 2025, has been purveying high-value exploits for Microsoft Office, Windows, VPN solutions, and security frameworks. Such commercialization accelerates the industrialization of cyberattacks, lowering the barrier to entry for disparate criminal collectives.

Google emphasizes that the enduring threat of CVE-2025-8088 serves as a poignant testament to the lethality of “n-day” vulnerabilities once they are absorbed into the criminal ecosystem. Even following the availability of official remedies, these flaws remain viable vectors for initial systemic penetration for years to come.