Cybersecurity

Cyber: Google Warns Of Active Exploitation Of Winrar Vulnerability...

2026-01-28 0 views admin
Cyber: Google Warns Of Active Exploitation Of Winrar Vulnerability...

Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.

"Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG) said.

"The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness."

The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025. Successful exploitation of the flaw could allow an attacker to obtain arbitrary code execution by crafting malicious archive files that are opened by a vulnerable version of the program.

ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware. It's worth noting that Google is tracking the threat cluster behind the deployment of Cuba Ransomware under the moniker UNC2596.

Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below -

GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder that's then configured to download a dropper.

"Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets," it added. Some of these attacks have led to the deployment of Telegram bot-controlled backdoors and malware families like AsyncRAT and

Source: The Hacker News

🏷️ Tags

securityvulnerabilitycvemalwareransomware

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views