Russian and Chinese espionage groups continue to exploit an N-day vulnerability (CVE-2025-8088) in WinRAR alongside financially motivated actors, all leveraging a path traversal vulnerability that drops malware into Windows Startup folders.

Google Threat Intelligence Group discovered widespread exploitation of a critical WinRAR vulnerability six months after the vendor patched it, with government-backed hackers from Russia and China deploying the flaw alongside financially motivated cybercriminals. The attacks demonstrate how effective exploits remain valuable long after patches become available, especially when organizations delay updates.

CVE-2025-8088, a high-severity path traversal vulnerability in WinRAR, allows attackers to write files to arbitrary system locations by crafting malicious RAR archives. RARLAB released WinRAR version 7.13 on July 30, 2025, to address the flaw. However, exploitation began at least 12 days earlier, on July 18, according to ESET research.

Read: New Zero-Day in WinRAR Abused by RomCom

The vulnerability exploits Alternate Data Streams, a Windows feature that allows multiple data streams to be associated with a single file. Attackers conceal malicious files within ADS entries of decoy documents inside archives. While victims view what appears to be a legitimate PDF or document, hidden payload streams execute in the background.

The exploit uses specially crafted paths combining ADS features with directory traversal characters. A file might carry a composite name like "innocuous.pdf:malicious.lnk" paired with a path traversing to critical directories. When victims open the archive, the ADS content extracts to destinations specified by the traversal path, frequently targeting the Windows Startup folder for automatic execution at next login.

Multiple Russian threat groups consistently exploit the vulnerability in campaigns targeting Ukrainian military and government entities using highly tailored geopolitical lures. UNC4895, also known as RomCom, conducts dual financial and espionage operations through spearphishing emails with subject lines indicating targeting of specific Ukrainian military units. The attacks deliver NESTPACKER malware, externally known as Snipbot.

APT44, tracked under the designation FROZENBARENTS, drops decoy files with Ukrainian filenames alongside malicious LNK files attempting further downloads. TEMP.Armageddon, designated CARPATHIAN, uses RAR archives to place HTA files into Startup folders, with the HTA acting as a downloader for second-stage payloads. This activity continued through January 2026.

Turla, adopted CVE-2025-8088 to deliver the STOCKSTAY malware suite using lures themed around Ukrainian military activities and drone operations. A China-nexus actor exploits the vulnerability to deliver POISONIVY malware via BAT files dropped into Startup folders, which then download droppers.

The exploitation mirrors widespread abuse of CVE-2023-38831, a previous WinRAR bug that government-backed actors heavily exploited despite available patches. The pattern demonstrates that exploits for known vulnerabilities remain highly effective when organizations fail to patch promptly.

Financially motivated threat groups quickly adopted the vulnerability. One group targeting Indonesian entities uses lure documents to drop CMD files into Startup folders. These scripts download password-protected RAR archives from Dropbox containing backdoors that communicate with Telegram bot command-and-control servers.

Another group focuses on hospitality and travel sectors, particularly in Latin America, using phishing emails themed around hotel bookings to deliver commodity remote access trojans including XWorm and AsyncRAT. A separate group targeting Brazilian users via banking websites delivered malicious Chrome extensions that inject JavaScript into pages of two Brazilian banking sites to display phishing content and steal credentials.

An actor known as "zeroplayer" advertised a WinRAR exploit in July 2025, shortly before widespread exploitation began. zeroplayer's portfolio extends beyond WinRAR. In November 2025, the actor claimed a sandbox escape remote code execution zero-day exploit for Microsoft Office, advertising it for $300,000. In late September 2025, zeroplayer advertised a remote code execution zero-day for an unnamed popular corporate VPN provider.

Starting mid-October 2025, zeroplayer advertised a Windows local privilege escalation zero-day exploit for $100,000. In early September 2025, the actor advertised a zero-day for an unspecified drive allowing attackers to disable antivirus and endpoint detection and response software for $80,000.

zeroplayer's continued activity demonstrates the commoditization of the attack lifecycle. By providing ready-to-use capabilities, actors like zeroplayer reduce technical complexity and resource demands, allowing groups with diverse motivations—from ransomware deployment to state-sponsored intelligence gathering—to leverage sophisticated capabilities.

The rapid exploitation adoption occurred despite Google Safe Browsing and Gmail actively identifying and blocking files containing the exploit. When reliable proof of concept for critical flaws enters cybercriminal and espionage marketplaces, adoption becomes instantaneous. This blurs lines between sophisticated government-backed operations and financially motivated campaigns.

The vulnerability's commoditization reinforces that effective defense requires immediate application patching coupled with fundamental shifts toward detecting consistent, predictable post-exploitation tactics.

Google published comprehensive indicators of compromise in a VirusTotal collection for registered users to assist security teams in hunting and identifying related activity.