Google Threat Intelligence Group reports that multiple state-sponsored and criminal organizations have spent the last six months exploiting a critical WinRAR vulnerability. Although a patch was released in July after initial zero-day use by Russian hackers, various groups continue to use the flaw to target government, military, and financial sectors globally.

The security flaw, identified as CVE-2025-8088, is a path traversal vulnerability that allows attackers to execute arbitrary code on a victim's Windows system. By using specially crafted archive files, hackers can hide malicious payloads within alternate data streams of decoy files. When a user opens the archive using an outdated version of WinRAR, the software inadvertently writes malicious files to sensitive locations, such as the startup folder, ensuring the malware runs automatically when the user next logs in.

Russian and Chinese state-sponsored actors have been particularly active in utilizing this exploit to further their strategic interests. Russian groups including Sandworm, APT44, and Gamaredon have focused their efforts on Ukrainian military units and government entities as recently as January 2026. Simultaneously, Chinese intelligence groups have leveraged the same vulnerability to deploy the PoisonIvy malware, demonstrating how quickly high-severity bugs are adopted across different geopolitical regions.

Beyond state-level espionage, the vulnerability has become a staple tool for financially motivated cybercriminals. These groups have launched wide-reaching campaigns targeting online banking users in Brazil, as well as hospitality and travel organizations throughout Latin America and Indonesia. The exploit is frequently used to distribute commodity remote access trojans and other malware designed to siphon funds or sensitive corporate data from unsuspecting victims.

The persistence of these attacks highlights a thriving underground economy where specialized developers create and sell exploit kits to various threat actors. One notable seller, operating under the alias zeroplayer, has been marketing the WinRAR exploit alongside other high-value zero-days since mid-2025. This commercialization lowers the barrier to entry for less sophisticated groups, allowing them to conduct complex operations that were once the exclusive domain of well-funded intelligence agencies.

Ultimately, the widespread exploitation of this n-day vulnerability underscores the critical importance of timely software updates and patch management. Despite the availability of a fix since July 2025, the continued success of these campaigns proves that many organizations remain vulnerable. As long as users fail to update their software, both government-backed spies and common criminals will continue to find success using these proven methods of entry.

Source: APTs And Cybercriminals Exploit WinRAR Vulnerability