26.01.2026
2 min
353
Threat Intelligence from Google warned that a critical flaw in WinRAR which allowed Russian- and Chinese-threat actor exploitation in targeted cyberattacks using spear-phishing and other tactics against the Ukraine Government and Military are now being globally utilized in wide-spread cybercrime campaigns utilizing various types of malware including ransomware, credential-theft and remote-access malware.
As documented by Google, the vulnerability CVE-2025-8088 was originally discovered in the first phase of the campaign when attackers were sending weaponized .rar archives through phishing to Ukrainian governmental and military targets; opening the weaponized archive was the initial vector to allow the attackers to gain control of the victim’s system.
As documented by Google, the exploit is now being employed in both cyber-espionage campaigns as well as in financially-motivated campaigns (i.e. ransomware and others) to deliver remote-access backdoors and other malware at a large-scale basis.
As indicated by Google, this is considered an n-day, or public disclosure and patches available but has not been adequately implemented by all parties affected by the vulnerability and is therefore still being actively exploited.
An attacker utilizes the combination of the path traversal vulnerability coupled with the Windows ADS feature to write malicious files outside the original extraction directory (e.g. directly to the user’s Windows Startup folder). WinRAR is one of the most popularly-used file compression utilities for Windows operating systems and is often unpatched for many years which makes it a high-risk target for attackers.
In addition, Google reported that Russian–government linked groups, specifically UNC4895 (RomCom), APT44, Armageddon, and Tura used the vulnerability in their attacks focused on Ukraine-based targets and delivered Snipbot, HTA-based loaders and STOCKSTAY; China-government linked actors used the vulnerability to deliver the POISONIVY backdoor. Soon thereafter, various cyber-criminal groups began to utilize the same exploit to distribute AsyncRAT, XWorm, and banking malware across the globe.
CVE-2025-8088 is an example of how techniques developed in cyberwarfare against Ukraine quickly transition into global cybercrime. Google recommends immediate updates to WinRAR version 7.13 and monitoring of startup folders for suspicious files as a primary indicator of successful exploitation.
