In a technical analysis by Google Threat Intelligence Group, researchers say multiple state-backed and criminal groups have exploited the CVE-2025-8088 WinRAR path traversal flaw since July 18, 2025 to gain initial access and deliver malicious payloads.
KEY FACTS
- Vulnerability CVE-2025-8088 path traversal using Alternate Data Streams to write files to arbitrary locations
- Observed since July 18, 2025
- Actors State-backed espionage groups and lower-tier financially motivated criminals
- Payloads LNK, HTA, BAT, CMD and script files that can establish persistence
The flaw leverages Alternate Data Streams embedded in a decoy file inside a RAR archive so that a visible document is shown while a hidden ADS entry contains a payload. Directory traversal during extraction lets the hidden payload be written to arbitrary locations on disk.
Threat actors observed using the exploit include UNC4895, APT44, TEMP.Armageddon, Turla and China-linked operators. Tactics include dropping HTA downloaders into Startup folders and using Ukrainian-language decoys for follow-on downloads.
Financially motivated groups have distributed commodity remote access tools and information stealers such as XWorm and AsyncRAT, Telegram bot controlled backdoors and malicious banking extensions for Chrome. Some actors obtained working exploits from specialized sellers, including an alias known as “zeroplayer” who advertised a WinRAR exploit and other high value exploits for tens to hundreds of thousands of dollars.
Exploitation has been ongoing into 2026 and can result in persistent access across reboots when payloads are placed in Startup folders. Patching WinRAR, monitoring for unusual ADS activity and inspecting Startup folder changes reduce exposure.
WHY IT MATTERS
This flaw enables initial access and persistence without obvious file artifacts, increasing the risk to unpatched systems. Rapid adoption of working exploits by multiple actors raises the urgency of applying updates and monitoring for related indicators.