Months after it was patched, a path traversal flaw in WinRAR (CVE-2025-8088) is still being actively exploited, according to Google’s Threat Intelligence Group. The vulnerability was fixed in July 2025, but many users haven’t updated, leaving attackers free to exploit a bug that still works on outdated systems.
WinRAR’s longevity helps explain its persistence. Often bundled with prebuilt PCs or installed once and forgotten, it remains on countless machines. For attackers, it’s an easy bet to send a malicious archive to someone running an older version.
A Simple Flaw, Cleverly Hidden
ESET researchers first spotted the exploit in the wild and tied it to RomCom, a group that mixes espionage with cybercrime. Once technical details were made public, the barrier to entry dropped. Scripts circulated, payloads were repackaged, and a growing roster of threat actors adopted the same approach.
What’s striking is how little the method evolved. It worked, so attackers kept using it.
Attackers manipulate file paths inside malicious archives to force WinRAR to extract files outside the intended directory. The target is the Windows Startup folder, which automatically runs anything placed inside it on boot. Once the archive is opened, the payload is dropped into that folder without requiring elevated privileges or triggering alerts, and it executes on the next restart.
To avoid detection, attackers use Alternate Data Streams (ADS), an obscure Windows NTFS feature that allows data to be hidden within files without altering their appearance. In these campaigns, malicious shortcut (.lnk) files are embedded in ADS linked to decoy files that appeared harmless, such as documents, images, or benign-looking content. When extracted, the archive looks normal. ADS streams don’t appear in File Explorer and evade many antivirus tools by default, making them an ideal delivery method.
“Attackers are leveraging phishing emails to deliver the payload,” said Ben Ronallo, Principal Cybersecurity Engineer at Black Duck. “This avenue often succeeds because victims are expecting an email and attachment from someone. However, because the payloads are hidden via ADS, the attachment appears to be innocuous. There’s nothing to tip off the victim that there’s something wrong.”
Espionage and Ransomware, Same Front Door
The same flaw that fueled espionage campaigns has also been adopted by ransomware groups. Google tracks one such crew, UNC2596, tied to Cuba Ransomware. Their tactics mirror those of state-backed actors: a poisoned archive, a payload in Startup, and hands-off persistence.
“Once they are in, attackers do different things depending on their goal,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck. “Nation-state actors use it to install spyware and keep long-term access to government or military systems. Cybercriminals use it to steal passwords, install remote control malware, or prepare systems for ransomware.”
The Real Gap: Trust and Awareness
The exploit succeeds because users routinely open compressed archives without suspicion, especially when the contents appear familiar. Security teams often overlook risks tied to long-standing utilities like WinRAR, assuming the danger lies elsewhere. That gap in perception has given attackers a reliable path in, even after a patch was released.
As long as basic assumptions about application trust and file safety go unchallenged, flaws like this remain viable.
But the ongoing exploitation of CVE-2025-8088 underscores a broader reality: attackers don’t need new vulnerabilities if the old ones still work. Even after a patch is issued, slow update cycles and misplaced trust in familiar tools can keep organizations exposed.
In this case, the exploit didn’t rely on advanced techniques. It succeeded because users opened files that looked familiar, outdated software remained in place, and basic delivery methods weren’t treated as high risk.
Google’s findings show that patched vulnerabilities remain useful long after disclosure. The fix may exist, but attackers only need to catch an organization off guard once.
“Any security team concerned about this attack chain should be looking for vulnerable versions of WinRAR and forcing upgrades to the latest version,” said Ronallo. “Adding Indicators of Compromise (IOCs) provided by Google’s Threat Intelligence and other threat feeds to their anti-malware, anti-virus, intrusion detection or prevention, and anti-phishing systems.”
