INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Everybody is WinRAR Exploitation
| 2026-01-28 18:59 CRITICAL HIGHExecutive Summary AI-generated
The WinRAR vulnerability, CVE-2025-8088, has been exploited by various groups to bring infostealers and Remote Access Trojans (RATs) to targeted sectors. The threat hunters have identified multiple Kremlin-linked crews abusing the flaw in Ukraine, while commercial organizations are also being targeted through phishing emails with hotel booking lures delivering XWorm and AsyncRAT malware. Government-backed actors have adopted the exploit for military, government, and technology targets, including a ransomware and espionage gang targeting Ukrainian entities using geopolitical lures. The vulnerability has been patched by WinRAR in version 7.13 released on July 30, but several groups are still abusing it as of late January.
Technical Mitigations AI-generated
* Use up-to-date and patched versions of WinRAR, such as version 7.13 or later, to ensure that the path traversal flaw is fixed.
* Regularly update operating systems and software to ensure that any known vulnerabilities are addressed before they can be exploited by threat actors.
* Implement robust security measures, such as secure file paths and access controls, to prevent unauthorized access to sensitive data even if malware is dropped into arbitrary locations on a system.
* Use anti-malware software and keep it up-to-date with the latest signatures and definitions to detect and remove threats like Remote Access Trojans (RATs) and infostealers that may be compromised by this vulnerability.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
TurlaTurla
PoisonIvyPoisonIvyPoison IvyPoison IvyCubaCuba
CVE-2025-8088CVE-2025-8088
CVE-2025-6218CVE-2025-6218
Target & Sectors
CU
CN
RU
UA
BR
ID
governmentgovernment
hospitalityhospitality
technologytechnology
Incident Timeline
July 18, 2025
Threat actors used a zero-day exploit in Everybody to target General Document Context ESET.
Click on any entity below to view its context and source!
tactic
Espionage
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
organisation
ESET
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
organisation
RomCom
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
organisation
CIGAR
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
organisation
SnipBot
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
organisation
NESTPACKER
ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware.
July 2025
Threat actors exploited the Everybody is WinRAR vulnerability to target various entities across different operations.
Click on any entity below to view its context and source!
source_region
Russian Federation
"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG)
said
.
source_region
China
"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG)
said
.
industry
Government
"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG)
said
.
attribution
the Google Threat Intelligence Group
"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG)
said
.
July 30, 2025
Threat actors exploited the CVE-2025-8088 vulnerability in WinRAR to release a rapidly spreading RAT.
Click on any entity below to view its context and source!
vulnerability
CVE-2025-8088
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
infrastructure
Winrar
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
infrastructure
8.8
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
infrastructure
7.13
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
general_metric
8.8 score
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
general_metric
7.13 WinRAR version
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
November 2025
Threat actors used a zero-day exploit for Windows to remotely execute code on targeted systems, which they also exploited using Privilege Escalation techniques.
Click on any entity below to view its context and source!
infrastructure
Windows
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
tactic
Privilege Escalation
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
organisation
Microsoft Office
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
tactic
Remote Code Execution
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
organisation
LPE
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
financial
$100,000 Windows
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
Jan 28, 2026
Threat actors used Everybody to target General Document Context.
Jan 28
Threat actors exploited a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy payloads.
Click on any entity below to view its context and source!
infrastructure
Winrar
Ravie Lakshmanan
Jan 28, 2026
Vulnerability / Threat Intelligence
Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.
attribution
Vulnerability / Threat Intelligence
Ravie Lakshmanan
Jan 28, 2026
Vulnerability / Threat Intelligence
Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.
attribution
RARLAB WinRAR
Ravie Lakshmanan
Jan 28, 2026
Vulnerability / Threat Intelligence
Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.
2026-01-28
Threat actors exploited a path traversal flaw in the Windows version of WinRAR to drop malware, including ransomware and espionage tools.
Click on any entity below to view its context and source!
infrastructure
Windows
Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below -
Sandworm
(aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads
Gamaredon
(aka CARPATHIAN), which has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage
Turla
(aka SUMMIT), which has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centred around Ukrainian military activities and drone operations
GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver
Poison Ivy
via a batch script dropped into the Windows Startup folder that's then configured to download a dropper.
The bug, tracked as
CVE-2025-8088
, is a path traversal flaw that affects the Windows version of the decompression tool.
"The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.
Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (
ADS
) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.
The exploit abuses Alternate Data Streams (ADS), a feature in Windows, to hide malware.
threat_actor
Turla
Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below -
Sandworm
(aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads
Gamaredon
(aka CARPATHIAN), which has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage
Turla
(aka SUMMIT), which has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centred around Ukrainian military activities and drone operations
GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver
Poison Ivy
via a batch script dropped into the Windows Startup folder that's then configured to download a dropper.
Three other Kremlin-linked crews - APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are also abusing CVE-2025-8088 to target these same sectors in Ukraine.
infrastructure
Winrar
Everyone from Russian and Chinese government goons to financially motivated miscreants is exploiting a long-since-patched WinRAR vuln to bring you infostealers and Remote Access Trojans (RATs).
Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088.
One such supplier, "zeroplayer," marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.
Everybody is WinRAR phishing, dropping RATs as fast as lightning.
The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars.
"
The development comes as another WinRAR vulnerability (
CVE-2025-6218
, CVSS score: 7.8) has also witnessed exploitation efforts from multiple threat actors, including GOFFEE, Bitter, and Gamaredon, underscoring the threat posed by N-day vulnerabilities.
Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system.
Back in June, before the vulnerability was publicly known, a criminal who goes by "zeroplayer" posted an ad for a working WinRAR zero-day exploit for $80,000 on a cybercrime forum.
organisation
Google
It's worth noting that Google is tracking the threat cluster behind the deployment of Cuba Ransomware, which is also known to use
RomCom RAT
, under the moniker UNC2596.
Also according to Google, an unnamed PRC-based group is exploiting the vulnerability to deliver
PoisonIvy
, a Remote Access Trojan (RAT), via a BAT file dropped into the Startup folder, which then downloads a malware dropper.
organisation
BAT
Also according to Google, an unnamed PRC-based group is exploiting the vulnerability to deliver
PoisonIvy
, a Remote Access Trojan (RAT), via a BAT file dropped into the Startup folder, which then downloads a malware dropper.
organisation
CVE-2025
One such supplier, "zeroplayer," marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.
Three other Kremlin-linked crews - APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are also abusing CVE-2025-8088 to target these same sectors in Ukraine.
organisation
Kremlin
Three other Kremlin-linked crews - APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are also abusing CVE-2025-8088 to target these same sectors in Ukraine.
organisation
Summit
Three other Kremlin-linked crews - APT44 (aka Frozenbarents), Temp.Armageddon (aka Carpathian), and Turla (aka Summit) are also abusing CVE-2025-8088 to target these same sectors in Ukraine.
organisation
LNK
Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (
ADS
) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.
organisation
Alternate Data Streams
The exploit abuses Alternate Data Streams (ADS), a feature in Windows, to hide malware.
organisation
ADS
The exploit abuses Alternate Data Streams (ADS), a feature in Windows, to hide malware.
organisation
ESET
Shortly after the release, ESET researchers who discovered and reported the vulnerability
told
The Register
that Russia-aligned crew
RomCom
and at least one other criminal group exploited the security hole as a zero-day.
organisation
The Register
Shortly after the release, ESET researchers who discovered and reported the vulnerability
told
The Register
that Russia-aligned crew
RomCom
and at least one other criminal group exploited the security hole as a zero-day.
organisation
Industrial Spy
Reports indicate
potential connections
between the operators of UNC2596, UNC4895, and a data extortion marketplace called
Industrial Spy
.
organisation
XWorm
While the threat hunters don't name these specific gangs, we're told they include a group targeting commercial organizations in Indonesia, another group that targets hospitality and travel sectors via phishing emails with hotel booking lures that deliver XWorm and AsyncRAT, and a third focused on Brazilian users via banking websites that steals credentials.
Some of these attacks have led to the deployment of Telegram bot-controlled backdoors and malware families like AsyncRAT and XWorm.
organisation
WinRAR
The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars.
Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system.
organisation
CVSS
"
The development comes as another WinRAR vulnerability (
CVE-2025-6218
, CVSS score: 7.8) has also witnessed exploitation efforts from multiple threat actors, including GOFFEE, Bitter, and Gamaredon, underscoring the threat posed by N-day vulnerabilities.
organisation
Gamaredon
"
The development comes as another WinRAR vulnerability (
CVE-2025-6218
, CVSS score: 7.8) has also witnessed exploitation efforts from multiple threat actors, including GOFFEE, Bitter, and Gamaredon, underscoring the threat posed by N-day vulnerabilities.
organisation
RAR
Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system.
organisation
PDF
Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system.
July 30
WinRAR patched the vulnerability in version 7.13 on July 30, which received an 8.8 CVSS v3.1 score.
Click on any entity below to view its context and source!
infrastructure
Winrar
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
infrastructure
8.8
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
infrastructure
7.13
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
general_metric
7.13 WinRAR version
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below -
Sandworm
(aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads
Gamaredon
(aka CARPATHIAN), which has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage
Turla
(aka SUMMIT), which has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centred around Ukrainian military activities and drone operations
GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver
Poison Ivy
via a batch script dropped into the Windows Startup folder that's then configured to download a dropper.
"The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.
Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (
ADS
) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
The bug, tracked as
CVE-2025-8088
, is a path traversal flaw that affects the Windows version of the decompression tool.
The exploit abuses Alternate Data Streams (ADS), a feature in Windows, to hide malware.
Metrics
infrastructure
Winrar
Affected Product
Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088.
Ravie Lakshmanan
Jan 28, 2026
Vulnerability / Threat Intelligence
Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars.
One such supplier, "zeroplayer," marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.
"
The development comes as another WinRAR vulnerability (
CVE-2025-6218
, CVSS score: 7.8) has also witnessed exploitation efforts from multiple threat actors, including GOFFEE, Bitter, and Gamaredon, underscoring the threat posed by N-day vulnerabilities.
Everyone from Russian and Chinese government goons to financially motivated miscreants is exploiting a long-since-patched WinRAR vuln to bring you infostealers and Remote Access Trojans (RATs).
Everybody is WinRAR phishing, dropping RATs as fast as lightning.
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
Attackers craft malicious RAR archives with a decoy PDF or other file inside, and when a user opens the decoy file on a vulnerable version of WinRAR, the hidden malware writes files to arbitrary locations on the system.
Back in June, before the vulnerability was publicly known, a criminal who goes by "zeroplayer" posted an ad for a working WinRAR zero-day exploit for $80,000 on a cybercrime forum.
Metrics
infrastructure
8.8
Software Version
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
Metrics
infrastructure
7.13
Software Version
The vulnerability in question is
CVE-2025-8088
(CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025.
It received an 8.8 CVSS v3.1 score, and WinRAR patched the flaw in version 7.13 released on July 30.
Metrics
infrastructure
Microsoft Office
Affected Product
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
Metrics
financial
100,000
Windows
This includes a sandbox escape, remote code execution (RCE)
zero-day exploit for Microsoft Office
advertised at $300,000 in November 2025, and a zero-day local privilege escalation (LPE) exploit for Windows costing $100,000 a month earlier.
Intelligence Sources
The Hacker News
2026-01-28
The Register - Cybercrime
2026-01-28
Everybody is WinRAR phishing, dropping RATs as fast as lightning
The Register - Cybercrime
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:36
Comprehensive Tactical Telemetry
Highly Correlated Entities
23x
organisation
Identified Entity
Google
entity
13x
attribution
Attributing Entity
the Google Threat Intelligence Group
authority
8x
timeline
Temporal Reference
July 2025
date
6x
target region
Target Country
Cuba
country
6x
tactic
Cyber Operation Type
Ransomware
tactic
3x
source region
Origin Country
Russian Federation
country
3x
industry
Targeted Sector
Government
sector
3x
malware
Malware Payload
Cuba
tool
3x
infrastructure
Affected Product
Windows
software
2x
vulnerability
Exploited CVE
CVE-2025-8088
cve
2x
infrastructure
Software Version
8.8
version
Contextual Telemetry
Context Block
6 METRICS
threat actor
APT Group
Turla
actor
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
general metric
Score
9
score
general metric
Winrar Version
7
winrar version
general metric
Winrar Vulnerability
8
winrar vulnerability
financial
Windows
100,000
windows
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.