The Google Threat Intelligence Group (GTIG) has issued a warning regarding the ongoing exploitation of a vulnerability in WinRAR, identified as CVE-2025-8088. Despite being patched in July 2025, both nation-state actors and financially motivated cybercriminals continue to target this flaw to deploy malware onto users’ systems unnoticed.
Cybersecurity researchers highlighted that the vulnerability leverages a method known as “path traversal.” This technique allows a malicious archive to masquerade as a legitimate document while covertly saving harmful software into the user’s Startup folder. Files located in this folder are executed automatically upon login, effectively giving hackers a persistent backdoor into the affected systems.
History of the Vulnerability and Its Exploiters
This issue is not new; it was first reported by the security firm ESET in 2025. Hackread.com noted how cybercriminals initially used the flaw to execute arbitrary code, gaining full control over victims’ computers. Phishing emails were central to these early campaigns, promoting the notorious ‘RomCom backdoor.’
GTIG’s recent investigations revealed that various sophisticated groups have since adopted this exploit. Among them are the Russian-linked groups APT44, also known as Sandworm, and Turla, which have primarily targeted Ukrainian government and military entities. Turla specifically utilized lures related to drone operations to deploy the STOCKSTAY malware. Another group, TEMP.Armageddon, also known as CARPATHIAN, managed to use the vulnerability to install HTA downloader files.
Additionally, researchers identified a group linked to China that has employed this exploit to deploy a BAT file, leading to the installation of the POISONIVY malware.
Current Threat Landscape and Recommendations
The RomCom Group, also referred to as UNC4895, operates uniquely by pursuing both governmental secrets and financial gain. They often distribute variants of the Snipbot virus. Throughout December 2025 and January 2026, they have continued to spread “commodity RATs” and information stealers. Notably, Brazilian criminals have launched malicious Chrome extensions aimed at stealing banking credentials, while the travel sector in Latin America has been plagued by fraudulent hotel booking emails.
In Indonesia, cybercriminals have targeted local entities, utilizing Dropbox links to install backdoors managed through Telegram. These attacks are facilitated by a burgeoning underground market that sells exploits and other hacking tools. One seller, known as ‘zeroplayer,’ was reported to be offering the WinRAR exploit along with other digital keys. This individual’s portfolio included tools capable of breaching Microsoft Office for $300,000 and disabling antivirus software for $80,000.
As the accessibility of these tools increases, the threat landscape becomes more perilous. To mitigate risks, users are advised to ensure their WinRAR software is updated to version 7.13 or higher. Cybersecurity researchers emphasize that maintaining current software is the most effective defense against such diverse threats.
