Hackers Still Exploit WinRAR Flaw, Mandiant Reports
▼ Summary
– A critical, patched WinRAR vulnerability (CVE-2025-8088) is still being actively exploited by both state-sponsored and financially motivated hackers.
– The exploit uses malicious archives to hide payloads in Alternate Data Streams (ADS), which are automatically executed after extraction.
– Attack groups like RomCom and Paper Werewolf likely obtained the exploit from a single dark web supplier known as “zeroplayer.”
– The vulnerability has been used by various threat actors, including Russian and Chinese groups, to deliver malware like remote access trojans and info-stealers.
– Users must manually update to WinRAR version 7.13 to protect against this and another known exploited flaw.
A critical security flaw in the widely used WinRAR archiving software continues to be actively exploited by a range of threat actors, despite a patch being available for over six months. Cybersecurity firm Mandiant reports that both state-sponsored hackers and financially motivated groups are leveraging vulnerability CVE-2025-8088, a path traversal issue that allows attackers to hide malicious files within specially crafted RAR archives.
The exploit technique is particularly deceptive. Attackers conceal a harmful payload within the Alternate Data Stream (ADS) of a seemingly innocent decoy file, like a PDF, inside the archive. When a user opens the archive, the hidden malicious file is extracted to a specific location on the system. This payload is then configured to execute automatically the next time the user logs into their computer, often without their knowledge.
Evidence suggests that many of these attacks are fueled by a single source. Researchers from BI.ZONE identified that early campaigns in July and August 2025, linked to groups known as RomCom and Paper Werewolf, likely obtained their exploit from a dark web vendor using the alias “zeroplayer.” This supplier provides ready-made attack tools, lowering the barrier to entry for less sophisticated cybercriminals.
Since those initial incidents, the vulnerability’s exploitation has broadened significantly. Several Russian-aligned advanced persistent threat (APT) groups, including Sandworm and TEMP.Armageddon, have used it for cyber espionage against Ukrainian targets. A separate China-nexus actor was observed deploying the POISONIVY remote access trojan. Financially motivated attackers have also targeted organizations in Indonesia, Latin America’s hospitality sector, and customers of Brazilian banks.
The malware delivered through these booby-trapped archives varies widely, from information-stealing trojans and backdoors to malicious browser extensions. Mandiant analysts emphasize that exploit suppliers like zeroplayer democratize access to such capabilities, enabling groups with different goals, from data theft to ransomware deployment, to launch sophisticated attacks with relative ease.
The solution for users is straightforward but requires manual action. All users must immediately update to WinRAR version 7.13, which contains the necessary fixes for CVE-2025-8088 and another known flaw, CVE-2025-6218. It is crucial to note that WinRAR does not update automatically; individuals and IT administrators must manually download and install the latest version over their existing software to ensure protection.
(Source: HelpNet Security)
