The Google Threat Intelligence Group (GTIG) warns that nation-state actors and financially motivated threat actors are exploiting a flaw in WinRAR. Known as CVE-2025-8088, this vulnerability allows hackers to slip malware onto computers unnoticed. Though patched in July 2025, many users remain at risk.
Researchers noted the bug uses a “path traversal” trick. For your information, this allows an archive to look like a normal document while secretly saving a virus into your Startup folder. As we know it, files in this folder run automatically when you log in, giving hackers a permanent back door into your system.
A Problem First Seen in 2025
This isn’t the first time we’ve heard of this issue. Hackread.com reported on this weakness back in 2025 after it was first found by the security firm ESET. At the time, attackers used it to run arbitrary code, basically taking total control of a victim’s PC, and early campaigns focused on delivering the ‘RomCom backdoor’ via phishing emails.
Further probing by GTIG revealed that since that initial report, several sophisticated groups have been caught using the flaw. This includes:
Russian-Linked Groups
APT44 (also called Sandworm) and Turla have targeted Ukrainian government and military entities. Turla specifically used lures related to drone operations to deliver the STOCKSTAY malware, while another group, TEMP.Armageddon (aka CARPATHIAN) used the bug to drop HTA downloader files.
Researchers identified that a group linked to China has also adopted the exploit. They used it to drop a BAT file that eventually installs the POISONIVY malware.
The RomCom Group
RomCom, also known as UNC4895, is unique because it pursues both government secrets and money, often delivering a Snipbot virus variant. Researchers noted that throughout December and January 2026, cybercriminals have continued to distribute “commodity RATs” and info-stealers. In Brazil, criminals delivered malicious Chrome extensions to steal banking credentials.
In Latin America, the travel sector was hit with fake hotel booking emails. Researchers also found a group targeting Indonesian entities using Dropbox links to install backdoors controlled via Telegram.
The Underground Market for Exploits
It must be noted that these attacks are made easier by a thriving underground economy. A seller known as ‘zeroplayer’ was caught selling this WinRAR exploit and other digital keys. This individual’s portfolio included tools to break into Microsoft Office for $300,000 and ‘kill switches’ to disable antivirus software for $80,000, GTIG’s report reveals.
Because these tools are being sold to less-skilled criminals, the threat is growing. To stay safe, ensure your WinRAR is updated to version 7.13 or higher immediately. As researchers noted, keeping your software current is the simplest way to block these diverse threats.