Full Report
Russians, Chinese spies, run-of-the-mill crims … Come one, come all. Everyone from Russian and Chinese government goons to financially motivated miscreants is exploiting a long-since-patched WinRAR vuln to bring you infostealers and Remote Access Trojans (RATs).…
Analysis Summary
# Main Topic
Widespread exploitation of a long-since-patched WinRAR vulnerability (CVE-2025-8088) by various threat actors, ranging from state-sponsored espionage groups to financially motivated cybercriminals, to deploy infostealers and Remote Access Trojans (RATs).
## Key Points
- The vulnerability is CVE-2025-8088, a path traversal flaw affecting the Windows version of WinRAR, which carries a CVSS v3.1 score of 8.8.
- The vulnerability was patched by WinRAR in version 7.13, released on July 30th.
- Exploitation leverages Alternate Data Streams (ADS) in Windows to conceal malware within malicious RAR archives containing decoy files (e.g., PDFs).
- Upon opening the decoy file on a vulnerable system, the hidden malware writes files to arbitrary locations.
- The vulnerability was exploited as a zero-day shortly after its discovery by ESET researchers.
- The commercial threat actor "zeroplayer" previously advertised a working exploit for this vulnerability for $80,000.
## Threat Actors
- **Russian State-Aligned Groups:** RomCom (targeting Ukrainian military/government), APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are all using the exploit against Ukrainian military, government, and technology sectors.
- **Chinese State-Sponsored Groups (PRC-based):** An unnamed group is exploiting the vulnerability to deliver a RAT via a BAT file planted in the Startup folder.
- **Financially Motivated Criminal Gangs:** Unnamed groups targeting commercial organizations in Indonesia, the hospitality/travel sectors (delivering XWorm and AsyncRAT), and Brazilian users (stealing banking credentials).
## TTPs
- **Exploit Target:** WinRAR path traversal vulnerability (CVE-2025-8088).
- **Delivery Mechanism:** Malicious RAR archives containing decoy files.
- **Evasion Technique:** Abuse of Windows Alternate Data Streams (ADS) to hide the malicious payload.
- **Persistence/Execution:** In some documented cases, malware is dropped via a BAT file into the system's Startup folder to ensure persistence before downloading a dropper.
- **Payloads Utilized:** Infostealers, Remote Access Trojans (RATs) such as XWorm and AsyncRAT, and commodity RATs/stealers.
## Affected Systems
- **Software:** WinRAR versions prior to 7.13 (on Windows).
- **Victim Sectors/Geography:** Ukrainian military, government, and technology entities; commercial organizations in Indonesia; hospitality and travel sectors; and Brazilian users exploiting banking websites.
## Mitigations
- **Patching:** Immediately update or ensure all installations of WinRAR are running version 7.13 or newer (patched July 30th).
- **Software Management:** Review and remove old/unnecessary installations of WinRAR, especially on critical endpoints.
- **Endpoint Detection:** Ensure monitoring is in place for the creation of files via Alternate Data Streams (ADS) activity.
## Conclusion
The exploitation of CVE-2025-8088 remains highly active across the threat landscape months after a patch was released, indicating widespread failure to update. Organizations dealing with sensitive data or operating in high-risk geopolitical regions (such as Ukraine) are primary targets for state-sponsored actors using this easily accessible exploit vector. Immediate patching of WinRAR is the most crucial mitigation.