Google Threat Intelligence Group warned that a diverse and growing collection of attackers, including nation-state groups and financially motivated cybercriminals, are exploiting a path-traversal vulnerability affecting WinRAR that was disclosed and patched six months ago.
The high-severity vulnerability — CVE-2025-8088 — was exploited in the wild almost two weeks before RARLAB, the vendor behind the file archiver tool, addressed the vulnerability in a software update in late July.
Active exploitation of the vulnerability has consistently extended to more threat groups during the past six months and remains ongoing. Google threat hunters have attributed attacks to at least three financially motivated attackers, four Russia state-sponsored groups and one attacker based in China.
“Government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” Google said in a threat intelligence report Tuesday. Researchers did not say how many attacks are linked to the vulnerability but described the activity as widespread.
Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage, researchers said. Groups backed by Russia are targeting Ukrainian military and government entities while the China-based attacker’s targets remain unknown.
Cybercriminals are swarming to exploit the vulnerability, too. Google traced campaigns back to groups that previously targeted victims in Indonesia, Latin America and Brazil. Cybercrime groups exploited the vulnerability in December and January to deploy malware, including remote access trojans and infostealers.
Google published a timeline of observed exploitation depicting a broad set of attackers involved through October, but the majority of malicious activity since late 2025 is attributed to cybercriminals.
Attacks share a common method of exploitation, which was rapidly adopted by a range of threat groups.
“We are seeing both government-backed groups and financially motivated actors use the same exploitation method to achieve successful execution on target devices,” GTIG said in an email. “This mechanism of crafting a malicious RAR archive makes it more difficult for victims to determine they’ve been impacted, as they are shown a benign decoy file while in the background it silently drops a malicious payload into a critical system location such as Windows Startup folder.”
The malware requires no user interaction and because there are no obvious indicators of compromise, the malicious activity is very difficult to spot, researchers said.
Attackers of various objectives are flocking to the vulnerability, reminiscent of widespread exploitation of a previous WinRAR defect — CVE-2023-38831 — that Google’s Threat Analysis Group warned about in October 2023.
“The barrier to entry for threat actors to abuse WinRAR vulnerabilities is low, as there are public ready-to-use tools to quickly craft and test malicious archives,” researchers said. Google urged organizations to install security updates for WinRAR and published indicators of compromise to help defenders hunt for malicious activity on their systems.