Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.
“Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” the Google Threat Intelligence Group (GTIG) said.
“The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.”
The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025. Successful exploitation of the flaw could allow an attacker to obtain arbitrary code execution by crafting malicious archive files that are opened by a vulnerable version of the program.
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware. It’s worth noting that Google is tracking the threat cluster behind the deployment of Cuba Ransomware under the moniker UNC2596.
Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.
Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below –
- Sandworm (aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads
- Gamaredon (aka CARPATHIAN), which has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage
- Turla (aka SUMMIT), which has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centred around Ukrainian military activities and drone operations
GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder that’s then configured to download a dropper.
“Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets,” it added….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
