Recently, Google uncovered that various threat actors, ranging from nation-state adversaries to financially motivated groups, have been exploiting a critical security vulnerability in WinRAR to gain initial access and deploy various payloads.
Discovered and addressed in July 2025, the flaw, known as CVE-2025-8088 with a CVSS score of 8.8, allows attackers to execute arbitrary code by creating malicious archive files that are opened by vulnerable versions of WinRAR.
ESET, the cybersecurity firm that initially reported the vulnerability, noted that a threat group named RomCom (also known as CIGAR or UNC4895) exploited the flaw as a zero-day to distribute the SnipBot malware. Additionally, Google has identified a threat cluster responsible for the deployment of Cuba Ransomware, labeled as UNC2596.
Since its discovery, the vulnerability has been extensively exploited by various threat actors. For instance, Russian groups like Sandworm, Gamaredon, and Turla have utilized the flaw to launch attacks on Ukrainian entities using different tactics.
Furthermore, a China-based actor has been observed using the same vulnerability to distribute Poison Ivy malware. Financially motivated threat actors have also seized the opportunity to deploy Remote Access Trojans (RATs) and information stealers against commercial targets.
Google highlighted a case where a cybercrime group targeted Brazilian users with a malicious Chrome extension designed to steal banking credentials. This incident underscores the diverse range of threats stemming from the exploitation of WinRAR vulnerabilities.
The widespread exploitation of the WinRAR flaw can be attributed to the thriving underground economy where exploits are sold for significant amounts. Notably, a supplier known as “zeroplayer” advertised a WinRAR exploit before the public disclosure of CVE-2025-8088, indicating the commoditization of cyber attacks.
It is essential to address such vulnerabilities promptly, as evidenced by the exploitation of another WinRAR flaw, CVE-2025-6218, by threat actors like GOFFEE, Bitter, and Gamaredon. This emphasizes the ongoing threat posed by N-day vulnerabilities.
