WinRAR Path Flaw Still Actively Exploited by Hackers

A critical vulnerability in the widely used WinRAR file compression software continues to be a major security threat, with both state-sponsored hackers and cybercriminals actively exploiting it to breach systems. Tracked as CVE-2025-8088, this high-severity path traversal flaw allows attackers to hide malicious files within a compressed archive and place them in sensitive locations on a Windows system. The exploit specifically manipulates Alternate Data Streams (ADS), a feature of the Windows file system, to write harmful payloads to arbitrary folders, such as the Startup directory, ensuring the malware runs automatically when a user logs in.

Security researchers at ESET first identified the vulnerability and reported in August 2025 that the Russia-aligned hacking group known as RomCom was already using it in zero-day attacks. According to a new report from the Google Threat Intelligence Group, the exploitation timeline actually began even earlier, on July 18, 2025, and remains ongoing. The attack method is notably deceptive. A typical archive contains a seemingly harmless decoy document, like a PDF, to distract the user. Hidden within the same archive, however, are malicious ADS entries. Some contain the actual payload, while others are dummy data meant to complicate detection.

When a user opens the compromised archive with a vulnerable version of WinRAR, the software extracts the hidden payload. Using directory traversal techniques, it drops files like LNK shortcuts, HTA applications, or BAT scripts into critical system locations. These files are often configured to execute upon the next user login, providing immediate access or persistence for the attackers. Google’s investigation has linked several sophisticated state-sponsored groups to this campaign.

The group UNC4895, also known as RomCom or CIGAR, has used the flaw in spearphishing attacks targeting Ukrainian military units to deliver a malware loader called NESTPACKER. Another actor, APT44 (FROZENBARENTS), employs malicious LNK files with Ukrainian-language decoys to facilitate follow-on malware downloads. The group TEMP.Armageddon, or CARPATHIAN, has been observed dropping HTA downloaders into Startup folders, with activity reportedly continuing into 2026. The notorious Turla group (SUMMIT) has also leveraged the exploit, delivering its STOCKSTAY malware suite using themes related to the Ukrainian army. Additionally, China-linked actors have been seen using the vulnerability to deploy the POISONIVY backdoor.

Beyond espionage, financially motivated cybercriminals are abusing the same WinRAR weakness. These actors distribute common remote access trojans like XWorm and AsyncRAT, along with Telegram bot-controlled backdoors and malicious browser extensions designed to steal banking information. This widespread exploitation across different threat landscapes underscores the flaw’s severe impact. Evidence suggests that many of these groups are not developing their own exploits but are instead purchasing working attack code from specialized suppliers in the cyber underground.

One such supplier, using the alias “zeroplayer,” publicly advertised a WinRAR exploit in July 2025. This same actor has a history of marketing other high-value exploits, including what were claimed to be zero-day vulnerabilities for Microsoft Office, corporate VPNs, and Windows privilege escalation, with price tags ranging from $80,000 to $300,000. This marketplace for digital weapons illustrates the growing commoditization of exploit development. By lowering the technical barrier for attackers, these commercial suppliers enable a faster and more efficient attack lifecycle, allowing malicious actors to quickly target systems that have not yet been patched.

(Source: Bleeping Computer)