Multiple state-sponsored threat actors and financially motivated cybercrime groups have been actively exploiting a high-severity vulnerability in WinRAR for Windows, according to Google Threat Intelligence Group (GTIG). The flaw, tracked as CVE-2025-8088, was used as a zero-day before being patched in July 2025 and continues to see widespread exploitation across government, military, and commercial targets. The campaign highlights how quickly reliable exploits spread across both espionage and cybercrime ecosystems once weaponized.

WinRAR remains one of the most widely used archive utilities globally, making it an attractive target for attackers seeking broad reach. Vulnerabilities in file-handling software are particularly dangerous because exploitation often requires nothing more than user interaction, such as opening a compressed file. In this case, GTIG reports that exploitation persisted for months after patch availability, underscoring persistent gaps in patch adoption.

GTIG observed sustained exploitation of CVE-2025-8088 over a six-month period by multiple threat actors. The vulnerability was initially exploited as a zero-day by the Russia-linked RomCom group before disclosure and patching. Since then, both state-sponsored advanced persistent threats (APTs) and cybercriminal groups have incorporated the flaw into active operations targeting diverse sectors and geographies.

CVE-2025-8088 is a path traversal vulnerability in WinRAR for Windows. It allows attackers to craft malicious RAR archives that write files to arbitrary locations on a victim system.

Attackers concealed payloads using Alternate Data Streams (ADS) embedded within decoy files. When opened, the archive writes a malicious file—often into the Windows startup directory—ensuring persistence. The payload then executes automatically upon user login, enabling arbitrary code execution without additional user interaction.

GTIG attributes exploitation to multiple Russia-linked APTs, including RomCom, Sandworm, Armageddon, and Turla, with targets spanning government, military, and technology organizations, particularly in Ukraine. The most recent state-linked activity was observed in January 2026.

Separately, GTIG identified a Chinese state-sponsored APT exploiting the same flaw to deploy the PoisonIvy malware. Financially motivated cybercriminals also leveraged the vulnerability globally, targeting hospitality, travel, online banking users, and deploying commodity remote access trojans (RATs).

This campaign illustrates how a single reliable exploit can bridge espionage and cybercrime operations. Once an exploit enters the underground market, it lowers technical barriers and accelerates adoption across threat groups with vastly different objectives. Delayed patching dramatically increases exposure, even after public disclosure.

GTIG notes that the widespread abuse of CVE-2025-8088 reflects a mature underground exploit economy. Actors advertising ready-to-use exploits—such as a seller known as “zeroplayer”—enable groups to conduct advanced attacks without developing their own tooling, amplifying overall risk across the threat landscape.