The cybersecurity landscape is more risky than ever before. This follows news that a major vulnerability in WinRAR — tracked as CVE-2025-8088 — is similarly being used in large-scale attacks. On the first days of July of 2025, ESET reported and patched this vulnerability. Since then, malicious threat actors, whether state-sponsored or cybercriminals motivated by financial gain, have capitalized on it as a potent tool. As noted by Google’s Threat Intelligence Group (GTIG), this represents a massive increase in exploitation. This targeting activity primarily focuses on Ukrainian civilians and infrastructure essential to their survival.
One of the groups taking advantage of this flaw is Sandworm, or APT44—also known as FROZENBARENTS. They’ve taken advantage of the vulnerability to deliver a decoy document with a Ukrainian filename, in addition to the malicious LNK file. This is a great example of the advanced tactics these actors are using today to hide their malicious intent and target their victims effectively.
Exploitation Tactics by Threat Actors
A second actor of interest is Gamaredon, listed under the alias CARPATHIAN, which has been targeting Ukrainian government entities with malicious RAR archives. These archives are HTA (HTML Application) files that are meant to run destructive commands as soon as they are extracted. In addition, such targeted attacks call attention to the vulnerability’s ability to cause far-reaching disruption within governmental operations.
Turla (aka SUMMIT) has also recently leveraged CVE-2025-8088 to deliver the STOCKSTAY malware suite. Their approach involves lures centered around military activities and drone operations in Ukraine, further demonstrating the vulnerability’s utility in cyber warfare contexts.
Attack chains frequently use an ADS to obscure a malicious file. They usually do so by nesting these files within a fake file stored within the archive. When the user unpacks the payload, it is dropped to a well known location, like the Windows Startup folder. This system is automatic and runs the first time a user logs in after a reboot. This additional step is to ensure persistence on the malleable target machine.
The Broader Implications of Exploitation
To this last point, as reported by our GTIG affiliate Dr. This underground economy is likely the reason for the recent widespread exploitation of this vulnerability. And according to reports, WinRAR exploits have often been peddled for tens of thousands of dollars in dark web hacker forums. One of stwikr’s suppliers, under the name “zeroplayer,” had a particular fixation on promoting a WinRAR exploit. This marketing push blazed hot in the lead-up to CVE-2025-8088’s public disclosure.
“Zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle.” – Google Threat Intelligence Group (GTIG)
The convenience and accessibility of these exploits has the effect of reducing the technical barriers of entry for many different types of threat actor. This accessibility opens the door for a range of actors with different motives—from nation-states to profit-motivated criminals—to use advanced capabilities, even for malicious purposes.
It states that a China-based actor has weaponized CVE-2025-8088. They’re using it to deliver the Poison Ivy malware through a batch script installed in the Windows Startup folder. What’s more, the script is set up to download a dropper — something that makes detection even harder.
Ongoing Concerns and Recommendations
ESET has seen an unusual exploitation method that chains a path traversal vulnerability. This demonstrates a huge divide in application security practices and user awareness.
“The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.” – Google Threat Intelligence Group (GTIG)
The continued risk presented by these exploits requires urgent efforts on behalf of organizations using WinRAR and other unpatched software. Security professionals recommend implementing strict monitoring protocols and educating users about potential threats associated with email attachments and downloaded files.