Microsoft Windows file archival tool WinRAR exploited worldwide

The Google Threat Intelligence Group (GTIG) has identified a widespread active exploitation of the popular WinRAR file archiver tool for Windows targeting industry and government sectors worldwide.

Security experts believe GTIG brought the high-severity vulnerability to the industry’s attention because exploitation has continued long after a patch was released in July, and new campaigns tied to government-backed threat actors linked to Russia and China are still emerging.

In its Jan. 27 blog post, GTIG researchers said the bug — CVE-2025-8088 — was an n-day path traversal flaw that lets attackers drop malware files into the Windows Startup folder for persistence.

“This vulnerability lets attackers place any file they want into a victim's computer's startup sequence, effectively granting them persistent, full control over a system,” a GTIG spokesperson told SC Media.

Chrissa Constantine, senior cybersecurity solution architect at Black Duck, explained that the WinRAR vulnerability lets attackers hide malware inside a normal looking zip or archive file. When someone uses an older version of WinRAR to open the file, Constantine said attackers can trick the application into putting the hidden malicious file into the Windows Startup folder. Files in the Startup folder then run automatically every time someone logs into the computer, so the attacker gets access without the victim seeing anything suspicious.

“Once they are in, attackers do different things depending on their goals,” said Constantine. “Nation-state actors use it to install spyware and keep long-term access to government or military systems. Cybercriminals use it to steal passwords, install remote control malware, or prepare systems for ransomware.”

Constantine added that the fix has been available since last summer, but attackers are still succeeding because many people have not updated WinRAR because most users do not think archive files are dangerous.

Michael Bell, founder and CEO at Suzu Labs, said the vulnerability exploits how WinRAR handles Windows Alternate Data Streams (ADS) during extraction. Attackers craft an archive where the visible file is a harmless PDF, but Bell said the ADS attached to it contains a malicious shortcut or script.

“When you open the archive, WinRAR follows a path traversal in the ADS entry and drops that payload directly into your Windows Startup folder, said Bell. “WinRAR has more than 500 million users and most of them don't think twice about opening archives. The payload executes without any additional user interaction beyond opening the RAR and logging back in. No macro warnings, no ‘enable content’ prompts. Just persistence."

GTIG added that suspected Russia-nexus threat groups are exploiting CVE-2025-8088 in campaigns targeting Ukrainian military and government entities, using highly tailored geopolitical lures. A China-based threat actor has also exploited the vulnerability to deliver PoisonIvy malware via a BAT file dropped into the Startup folder, which then downloads a dropper.

Finally, GTIG said financially motivated threat actors have exploited CVE-2025-8088 on businesses in Indonesia and South America.