"The exploit abuses Alternate Data Streams (ADS), a feature in Windows, to hide malware. Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system. "Multiple government-backed actors have adopted the CVE-2025-8088 exploit, predominantly focusing on military, government, and technology targets," GTIG said in a Tuesday report."
"These include RomCom, which is both a ransomware and espionage gang, and is exploiting this bug to target Ukrainian military and government entities using geopolitical lures. Three other Kremlin-linked crews - APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are also abusing CVE-2025-8088 to target these same sectors in Ukraine. Also according to Google, an unnamed PRC-based group is exploiting the vulnerability to deliver PoisonIvy, a Remote Access Trojan (RAT), via a BAT file dropped into the Startup folder, which then downloads a malware dropper."
CVE-2025-8088 is a path traversal vulnerability in the Windows version of WinRAR that received an 8.8 CVSS v3.1 score and was patched in WinRAR 7.13 on July 30. Exploits leverage Windows Alternate Data Streams (ADS) to hide malware inside malicious RAR archives so that opening a decoy file on a vulnerable WinRAR version causes hidden malware to write files to arbitrary locations. Multiple government-backed actors and financially motivated criminal gangs continue to exploit the flaw to deliver infostealers, Remote Access Trojans, ransomware, and drop PoisonIvy via startup BAT files and downloaders.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]