"Tracked as CVE-2025-8088, the high-severity bug was patched on July 30, after being exploited in the wild as a zero-day by the Russia-linked hacking group named RomCom (also known as Storm-0978, Tropical Scorpius, and UNC2596). The issue is described as a path traversal flaw in WinRAR for Windows that can be abused for arbitrary code execution using crafted archive files. According to GTIG, APTs and cybercrime groups have exploited the security defect via malicious files hidden within the Alternate Data Streams (ADS) of a decoy file inside an archive."
""Adversaries can craft malicious RAR archives which, when opened by a vulnerable version of WinRAR, can write files to arbitrary locations on the system," GTIG explains. The malicious payloads contain a specially crafted path designed to traverse to a specific directory, typically the startup folder, for persistence. Thus, when the archive is opened, the content is written to the system and will be executed when the user logs in."
""Government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," GTIG says. The state-sponsored APTs were seen exploiting the CVE in attacks targeting government, military, and technology entities. GTIG tied the observed attacks to the Russia-linked APTs RomCom, Sandworm (aka APT44, BlackEnergy Lite, and Seashell Blizzard), Armageddon (aka Aqua Blizzard, Callisto, Gamaredon, Primitive Bear, and UNC530), and Turla (aka Krypton, Snake, Venomous Bear, and Waterbug)."
Multiple state-sponsored and cybercrime groups exploited CVE-2025-8088 over the six months before a July 30 patch. The flaw is a path traversal vulnerability in WinRAR for Windows that allows arbitrary code execution through crafted archive files. Attackers hide malicious payloads within the Alternate Data Streams of a decoy file inside an archive to write files to arbitrary system locations. Payloads often target the startup folder for persistence so that code executes at user login. Observed operators include Russia-linked RomCom, Sandworm, Armageddon, Turla, Chinese-linked actors, and financially motivated groups targeting government, military, and technology entities; activity continued into January 2026.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]