Everyone’s exploiting a WinRAR bug to drop RATs • The Register

Come one, come all. Everyone from Russian and Chinese government goons to financially motivated miscreants is exploiting a long-since-patched WinRAR vuln to bring you infostealers and Remote Access Trojans (RATs).

The bug, tracked as CVE-2025-8088, is a path traversal flaw that affects the Windows version of the decompression tool. It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.

Shortly after the release, ESET researchers who discovered and reported the vulnerability told The Register that Russia-aligned crew RomCom and at least one other criminal group exploited the security hole as a zero-day.

Fast forward to late January, and Google Threat Intelligence Group (GTIG) says several groups are still abusing CVE-2025-8088.

The exploit abuses Alternate Data Streams (ADS), a feature in Windows, to hide malware. Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system.  

“Multiple government-backed actors have adopted the CVE-2025-8088 exploit, predominantly focusing on military, government, and technology targets,” GTIG said in a Tuesday report.

These include RomCom, which is both a ransomware and espionage gang, and is exploiting this bug to target Ukrainian military and government entities using geopolitical lures. Three other Kremlin-linked crews – APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are also abusing CVE-2025-8088 to target these same sectors in Ukraine.

Also according to Google, an unnamed PRC-based group is exploiting the vulnerability to deliver PoisonIvy, a Remote Access Trojan (RAT), via a BAT file dropped into the Startup folder, which then downloads a malware dropper.

Several financially motivated criminal gangs are also leveraging this vulnerability to infect victims’ machines with RATs and data-stealing malware. While the threat hunters don’t name these specific gangs, we’re told they include a group targeting commercial organizations in Indonesia, another group that targets hospitality and travel sectors via phishing emails with hotel booking lures that deliver XWorm and AsyncRAT, and a third focused on Brazilian users via banking websites that steals credentials.

Plus, as of January, “we have continued to observe malware being distributed by cyber crime exploiting CVE-2025-8088, including commodity RATS and stealers,” the security sleuths said.

Back in June, before the vulnerability was publicly known, a criminal who goes by “zeroplayer” posted an ad for a working WinRAR zero-day exploit for $80,000 on a cybercrime forum. 

According to GTIG, this isn’t the only exploit zeroplayer is selling to other criminals. “Historically, and in recent months, zeroplayer has continued to offer other high-priced exploits that could potentially allow threat actors to bypass security measures,” the researchers wrote. 

This includes a sandbox escape, remote code execution (RCE) zero-day exploit for Microsoft Office advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.

In September, zeroplayer advertised a RCE zero-day exploit for a “popular, unnamed corporate VPN provider” without a price tag, and another zero-day for an unspecified driver that disables antivirus and endpoint detection and response software for $80,000. ®