Google Threat Intelligence warns that a critical flaw in the widely used file-compression tool WinRAR is being actively exploited by Russia- and China-linked state hackers, with cybercriminal groups rapidly adopting the same techniques for financially motivated attacks.
The vulnerability – tracked as CVE-2025-8088 – was first observed in campaigns linked to Russia-nexus operations targeting Ukraine. Attackers used weaponized RAR files in phishing emails to gain initial access to government and military systems.
Since then, Google reports that the exploit has spread well beyond cyber espionage and is being used in ransomware delivery, credential theft, and remote-access malware campaigns.
The flaw is described as an “n-day” vulnerability, meaning it is publicly known and patched, but still widely exploitable because many users have not updated their software.
Government-backed threat actors linked to Russia and China, as well as financially motivated threat actors, continue to exploit this n-day across disparate operations.
Google Threat Intelligence
WinRAR is a popular Windows application used to open and create compressed files, such as RAR and ZIP archives. Because it is so widely installed and often left unpatched for years, it presents an attractive target for attackers.
At the core of CVE-2025-8088 is what the report calls a “path traversal vulnerability,” a type of bug that allows attackers to place files outside their intended extraction folder.
In this case, adversaries abuse a Windows feature called Alternative Data Streams (ADS) to hide malicious files inside seemingly harmless documents.
When a victim opens a malicious archive, WinRAR can be tricked into writing a malicious file directly into the Windows Startup folder, ensuring it runs automatically when the user logs in.
Google says both state-backed hackers and cybercrime gangs are exploiting the flaw, using the same delivery method but different malware.
Russia-linked groups such as UNC4895 (RomCom), APT44, TEMP, Armageddon, and Tura used weaponized RAR files to target Ukraine with tools including Snipbot, HTA-backed downloaders, and STOCKSTAY, while a China-nexus actor deployed the POISONIVY backdoor.
Financially-motivated groups quickly followed, spreading AsyncRAT, XWorm, and banking malware globally.
Google has published Indicators of Compromise (IoCs) to help security teams detect related activity.
The flaw was patched by the software company behind the file-compression software, RARLAB, in WinRAR version 7.13 released in July 2025.
However, Google warns that the vulnerability has been the gift that just keeps on giving for attackers, as they benefit from slow patch adoption.
“After a vulnerability has been patched, malicious threat actors will continue to rely on n-days and use slow patching rates to their advantage,” the report said.
GTIG urges organisations and individuals to apply updates immediately and monitor for suspicious files appearing in Startup folders – a consistent sign of post-exploitation activity.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked