The Google Threat Intelligence Group (GTIG) has reported widespread exploitation of CVE-2025-8088, a critical path traversal vulnerability in WinRAR. This flaw allows attackers to use Alternate Data Streams (ADS) to drop malicious payloads, such as .lnk or .bat files, into the Windows Startup folder for persistence. Although a patch was released in July 2025 (version 7.13), threat actors continue to successfully leverage this n-day vulnerability against unpatched systems.
The exploitation is carried out by a diverse range of adversaries, including state-sponsored groups from Russia and China and various financially motivated cybercriminals. Notable actors include the Russia-nexus groups UNC4895, APT44, and Turla, who have used the exploit to target Ukrainian government and military entities. Additionally, the underground marketplace features suppliers like "zeroplayer" who commoditize such exploits, highlighting the technical ease with which high-impact vulnerabilities are integrated into the broader attack lifecycle.
Top comments (0)