The Google Threat Intelligence Group (GTIG) has identified widespread exploitation of CVE-2025-8088, a high-severity path traversal vulnerability in WinRAR. The flaw leverages Alternate Data Streams (ADS) to allow attackers to drop malicious files—such as LNK, BAT, or HTA scripts—directly into the Windows Startup folder. This technique provides a reliable method for establishing initial access and maintaining persistence on a system whenever a user opens a specially crafted archive.
A diverse range of threat actors, including Russian state-sponsored groups like APT44 and Turla, as well as Chinese-nexus and financially motivated criminals, are actively using this exploit. These campaigns target military, government, and commercial sectors globally, including operations in Ukraine, Brazil, and Indonesia. Security teams are urged to update WinRAR to version 7.13 or later and monitor for unauthorized file writes to startup directories to mitigate this ongoing threat.
Top comments (0)