Google: Multiple APTs and crime syndicates widely exploited a critical WinRAR flaw

Google’s threat analysts have tracked prolonged, real-world exploitation of a severe WinRAR bug identified as CVE-2025-8088, noting campaigns that continued for months before the vendor issued a patch. The flaw permits specially constructed archives to write files to chosen locations when opened by vulnerable WinRAR builds, enabling persistence by targeting startup paths and other execution points. Investigators observed multiple Russia-linked APTs and at least one China-linked group using this vector against government, defense, and technology organizations, with notable activity directed at Ukrainian entities as recently as January 2026. Financially motivated operators also adopted the technique broadly: researchers tied attacks to targets in Indonesia, Latin America-focused hospitality and travel firms, and online banking users in Brazil. The underground market amplified the threat by offering ready-made exploits; a seller using the alias “zeroplayer” advertised not only this WinRAR exploit but other zero-days, lowering the barrier for less sophisticated actors. Methodologically, adversaries hid malicious files inside Alternate Data Streams of benign decoy files within RAR archives, then used crafted path data to force file placement in authoritative folders that execute on logon. That approach supplied a silent, efficient way to drop remote-access tools, commodity RATs, and bespoke implants like PoisonIvy in targeted environments. The breadth of observed operators — from RomCom and Sandworm to Armageddon and Turla — demonstrates how a single reliable exploit can be reused across distinct strategic and criminal goals. The pattern also underlines a systemic problem: popular desktop utilities with legacy code paths remain attractive targets because exploitation yields high impact with low interaction. Patching closed the specific vulnerability, but widespread reliance on archived documents and the commoditization of exploits means similar flaws can be weaponized quickly. Organizations in the affected sectors should assume exploitation capability exists for any unpatched clients and harden archive-handling workflows, implement controls around startup folders and execution on login, and monitor for unexpected file writes originating from archive extractors. The incident reinforces that timely patching alone is necessary but not sufficient; layered mitigations and threat-detection tuned to archive-based delivery are vital to blunt rapid reuse by both state and criminal actors.