The Google Threat Intelligence Group (GTIG) has reported on the widespread exploitation of CVE-2025-8088, a critical path traversal vulnerability in WinRAR. Although a patch was released in July 2025, a diverse range of threat actors—including state-sponsored groups from Russia and China as well as financially motivated cybercriminals—continue to leverage this n-day vulnerability. The exploit typically utilizes Alternate Data Streams (ADS) to drop malicious payloads into the Windows Startup folder, facilitating persistent access to compromised systems.
Prominent actors such as APT44, Turla, and UNC4895 have been observed using this flaw to target Ukrainian military and government entities. Beyond espionage, financially motivated groups are using the vulnerability to deploy commodity RATs and stealers against targets in the hospitality and banking sectors globally. The article also highlights the underground exploit ecosystem, specifically naming suppliers like "zeroplayer" who commoditize the attack lifecycle by selling various high-priced exploits to the highest bidder.
Top comments (0)