A Ukrainian officer double-clicks a RAR file labeled ‘Drone Ops Report’ — next login, Russian malware fires up from the Startup folder.
That’s the scene playing out across military and government desks, thanks to CVE-2025-8088, the WinRAR path traversal vulnerability that’s been live since July 2025. Google Threat Intelligence Group’s latest report lays it bare: state actors from Russia and China, plus garden-variety cybercriminals, keep hammering this flaw. Patched in WinRAR 7.13 back in late July — yet here we are, deep into 2026, with exploits flying.
Look, WinRAR’s everywhere. Over 500 million users, mostly Windows folks archiving files daily. This bug? It lets attackers hide payloads in Alternate Data Streams (ADS) inside seemingly innocent PDFs or docs. Open the archive — traversal magic drops a malicious .lnk straight to AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup. Boom. Persistence achieved, no questions asked.
How Does CVE-2025-8088 Actually Work?
Crafty, isn’t it? Attackers pack a decoy like ‘innocuous.pdf:malicious.lnk’ with a path like ‘../../../../../Users//AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.lnk’. User’s eye hits the PDF; backend unloads the .lnk silently. Google’s got the timeline: exploits kicked off July 18, 2025. Patch dropped July 30. But n-days persist because — surprise — patching lags.
Here’s Google’s take, straight up:
The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.
Spot on. But let’s cut the PR gloss: this isn’t new. Echoes CVE-2023-38831, another WinRAR mess that Russia and others rode for months post-patch. History rhymes — and defenders keep humming the same tune.
Financial crooks pile on too, though details cut short in the report. Point is, it’s not just spies; anyone’s grabbing this low-hanging fruit.
Russia’s playing hardball here. Groups like UNC4895 (RomCom to some), APT44, TEMP.Armageddon, even Turla — all zeroing on Ukraine. Spearphish with Ukrainian lures: military docs, drone chatter. UNC4895 drops NESTPACKER (Snipbot). APT44 fetches more via .lnk downloads. TEMP.Armageddon? HTA files unpacking HTML-stuffed archives. Turla serves STOCKSTAY malware.
And it’s tailored. Ukrainian filenames, geopolitical bait. Google’s Figure 2 shows a decoy doc screaming ‘Ukrainian military unit’ — perfect phishing candy.
China’s in the mix, quieter. PRC actors pushing POISONIVY via BAT droppers. Same Startup trick. Targets? Military, gov, tech — the usual suspects.
Why Hasn’t Patching Killed This WinRAR Bug?
Simple math: slow uptake. Enterprises drag feet on ‘non-critical’ tools like WinRAR (ironic, since CVSS screams high-severity). Users? Worse. Home setups, small biz — forgotten updates. Google’s pushing Safe Browsing, Gmail blocks — smart, but it’s whack-a-mole.
My take? This exposes market dynamics in endpoint security. WinRAR’s free-ish model means no auto-update nag like Chrome. RARLAB patched fast, sure, but without enforcement, it’s theater. Bold prediction: expect CVE-2026-whatever in the family soon. Attackers smell blood; why switch tools?
Compare to Log4Shell frenzy — patches flew because enterprises panicked. WinRAR? Yawn. That’s the gap. Fundamental app sec fails when ubiquity meets apathy.
Defenders, hunt these IOCs Google lists (report’s got ‘em). YARA rules for ADS rarities, Sigma for Startup drops. But root fix? Mandate updates. Block old WinRAR via GPO. Train users — ‘cause lures work.
State actors adapt quick. Russia nexus hitting Ukraine mirrors 2022-24 campaigns, but cheaper now. No zero-days needed; n-days suffice. China’s POISONIVY play? Classic espionage kit, refreshed. Financials? Probably ransomware loaders — report teases that.
Unique angle: this ain’t isolated. WinRAR’s a vector goldmine because it’s ‘trusted’. Like Notepad backdoors. Historical parallel? Stuxnet hid in print spoolers — mundane wins wars.
Organizations sleeping on this risk breach chains. Initial access? Check. Persistence? Done. Lateral next.
What Should You Do About CVE-2025-8088 Now?
Update to 7.13+. Audit endpoints for old versions — tools like Tanium or PDQ shine here. Enable ADS scanning (not default everywhere). Google’s urging software hygiene — duh, but data shows 30%+ lag on criticals.
Market shift? Endpoint detection vendors (CrowdStrike, SentinelOne) add WinRAR behavioral rules post-report. Stock bump incoming?
Users, ditch RAR if possible — 7-Zip’s safer, open-source audited. But reality: WinRAR sticks.
And the hype? RARLAB’s quiet post-patch. No big comms push. Contrast Adobe’s CVE blasts. Lesson: toolmakers need security muscle.
🧬 Related Insights
- Read more: EvilTokens: Phishing’s Drag-and-Drop Nightmare for Microsoft Logins
- Read more: ShinyHunters’ Anodot Heist: Dozens of Snowflake Customers Drained of Data
Frequently Asked Questions
What is CVE-2025-8088 in WinRAR?
It’s a path traversal bug using ADS to drop files anywhere, like Startup for auto-execution on login.
Are Russian and Chinese hackers still exploiting WinRAR CVE-2025-8088?
Yes, per Google — Russia targeting Ukraine, China espionage ops, financial actors too, months after the July 2025 patch.
How to detect CVE-2025-8088 attacks?
Hunt IOCs from Google’s report: suspicious RARs with ADS, Startup .lnks, YARA for traversals. Update WinRAR, use Safe Browsing.
