WinRAR's Six-Month-Old Bug Is a Favorite of Russian APTs, Chinese Espionage, and Brazilian Banking Trojans

A WinRAR bug patched six months ago is being exploited by at least five nation-state groups, a Chinese espionage operation, and multiple financially motivated crime gangs.

CVE-2025-8088 isn’t a zero-day anymore. It’s an n-day. And it’s everywhere.

The Vulnerability

CVE-2025-8088 (CVSS 8.8) is a path traversal flaw in WinRAR versions 7.12 and below. It exploits how WinRAR handles NTFS Alternate Data Streams (ADS) inside archive files.

The core issue: WinRAR’s RARReadHeader and RARProcessFile routines fail to normalize or validate relative path components. An attacker crafts a RAR archive where the visible contents look normal — a PDF, a document — but hidden ADS entries contain payloads with ..\\ path traversal sequences that write files outside the extraction directory.

The target directory? Usually the Windows Startup folder. Extract the archive, and a malicious LNK or DLL silently lands in Startup. Next login, it runs automatically.

From the user’s perspective, they opened a RAR file containing a single document. There’s no visible indication that anything else happened.

Who’s Exploiting It

This is what makes CVE-2025-8088 notable. It’s not one group — it’s a cross-section of the threat landscape.

Russian State-Sponsored Groups

Actor	Also Known As	Targets	Payload
Sandworm	APT44 / FROZENBARENTS	Ukrainian entities	Decoy files with Ukrainian filenames, malicious LNK files for secondary downloads
Gamaredon	CARPATHIAN / TEMP.Armageddon	Ukrainian government	RAR archives with HTA downloader files
Turla	SUMMIT / Secret Blizzard	Military/defense	STOCKSTAY malware, lures about Ukrainian drone operations
RomCom	UNC4895 / CIGAR	Finance, defense, manufacturing (Europe/Canada)	SnipBot variant, RustyClaw, Mythic agent

RomCom deserves special attention — they were exploiting this as a zero-day starting July 18, 2025, twelve days before the patch dropped. Spearphishing emails with weaponized RAR attachments disguised as job applications, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.

This is at least the third time RomCom has used a zero-day in the wild. They’re investing serious resources into offensive capabilities.

China-Nexus Actor

An unspecified China-nexus group weaponized CVE-2025-8088 to deliver Poison Ivy (aka Darkmoon) — a remote access trojan that’s been around for over a decade but remains effective. Batch scripts dropped into the Startup folder download additional payloads.

Financially Motivated Groups

Multiple criminal operations adopted the exploit within weeks of disclosure:

Indonesian targets — Commodity RATs (AsyncRAT, XWorm)
Latin American hospitality and travel — Telegram bot-controlled backdoors
Brazilian banking — Malicious Chrome extensions for credential theft on banking sites
General cybercrime — Information stealers deployed at scale

The Exploit Supply Chain

Here’s the part that should worry defenders: the underground economy around this exploit.

An actor known as “zeroplayer” was advertising WinRAR exploits on dark web forums around disclosure time for thousands of dollars. Public proof-of-concept tools are also available, which means anyone can generate malicious archives.

Google/Mandiant’s assessment is blunt: “The barrier to entry for threat actors to abuse WinRAR vulnerabilities is low, as there are public ready-to-use tools to quickly craft and test malicious archives.”

Nation-state groups use it for espionage. Criminals buy it off forums. Script kiddies download the PoC. The same bug serves all of them.

How the Exploit Works

The attack chain:

Craft archive — Create a RAR file with a normal-looking document (PDF, DOCX) as the visible entry
Hide payloads in ADS — Embed malicious files (DLL, LNK, BAT, HTA) in alternate data streams attached to the visible file
Path traversal — The ADS entries use ..\\ sequences to traverse out of the extraction directory
Target Startup — Write a .lnk shortcut or payload into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Persistence — On next login, the payload executes automatically
Decoy ADS — Include additional ADS entries with invalid paths to generate extraction warnings that distract from the real payload

The victim sees one file. WinRAR may show some warnings about failed extractions (the decoys), but the actual payload extracts silently.

RomCom’s Three Execution Chains

ESET’s analysis of the RomCom campaign revealed three distinct payload chains:

Mythic Agent — COM hijacking via the PSFactoryBuffer CLSID to execute a malicious msedge.dll, which triggers a “dynamichttp C2 profile” with hardcoded target domain validation.

SnipBot — A modified PuTTY CAC executable (ApbxHelper.exe) that decrypts AES-encrypted shellcode. It includes sandbox evasion that checks for 69+ recently-opened documents before executing — a clever anti-analysis trick.

RustyClaw — A Rust-written downloader that retrieves additional payloads. Uses invalid code signatures to complicate analysis.

Why This Keeps Happening

WinRAR has a fundamental distribution problem: no automatic updates.

Unlike browsers, operating systems, or even most desktop software in 2026, WinRAR requires users to manually download and install new versions. There’s no silent background update. No update notification in most configurations.

This means:

Enterprises with software management tools may push updates (eventually)
Small businesses and individuals almost never update
The installed base of vulnerable versions degrades slowly

Six months after the patch, a significant percentage of WinRAR installations are still on 7.12 or earlier. The attackers know this.

What To Do

1. Update WinRAR

# Check version
WinRAR > Help > About WinRAR

# Required: 7.13 or later
# Download from: https://www.win-rar.com/download.html

If your organization manages endpoints centrally, push this through SCCM, Intune, or your deployment tool. Don’t rely on users to update themselves — they won’t.

2. Update UnRAR Dependencies

If any software in your environment uses UnRAR.dll for archive handling, those dependencies need updating too. The vulnerability exists in the library, not just the GUI application.

3. Hunt for Indicators

Check for:

Unexpected files in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
New LNK files pointing to unusual executables
Processes spawned from Startup folder locations
RAR extraction events followed by writes to Startup directories

4. Block at the Perimeter

Scan RAR attachments in email gateways (most enterprise email security products now detect CVE-2025-8088 payloads)
Consider blocking RAR attachments entirely if your organization doesn’t need them
Monitor for RAR files downloaded from untrusted sources

5. Detection Rules

Look for:

File writes to Startup directories from WinRAR processes
ADS creation on extracted files
Path traversal patterns in file extraction logs (..\\ sequences)
Known C&C domains: srlaptop[.]com, campanole[.]com, melamorri[.]com, gohazeldale[.]com

The Bigger Pattern

CVE-2025-8088 follows the same trajectory as CVE-2023-38831, the previous WinRAR flaw that was similarly adopted by a wide range of state and criminal actors. Archive utilities are attractive targets because:

Universal attack surface — Almost every Windows machine has WinRAR or a compatible tool
User interaction is minimal — Open the file, extraction happens
No exploit complexity — Crafting a malicious archive takes minutes with available tools
Persistence is built in — Startup folder writes give you automatic execution

The archive utility exploit is the new document macro. Same delivery method (email attachment), same user interaction (double-click), same outcome (code execution). The only difference is the vector moved from Office macros to archive path traversal.

References

The archive utility exploit is the new document macro. Same email. Same double-click. Different vector. Same outcome.