55/69 Thursday, January 29, 2026
Cybersecurity experts are warning that a high-severity vulnerability in WinRAR, tracked as CVE-2025-8088, continues to be actively exploited by a wide range of threat actors, including state-sponsored groups and financially motivated cybercriminals. The flaw is a path traversal vulnerability that abuses Alternate Data Streams (ADS) to write malicious files to arbitrary locations on a system. Attackers have leveraged this technique to drop malware into the Windows Startup folder, ensuring persistence by executing the malware every time the system boots.
According to ESET, exploitation of this vulnerability was first observed in early August 2025, when the Russia-linked RomCom group used it in zero-day attacks. More recent reporting from Google Threat Intelligence indicates that exploitation actually began as early as July 2025 and has continued uninterrupted into 2026. The attack mechanism typically hides a malicious payload within the ADS of a decoy file inside a compressed archive. Victims see what appears to be a legitimate document, such as a PDF, while a hidden ADS contains the embedded payload. When the archive is extracted with WinRAR, the payload is written outside the intended directory via path traversal, often resulting in the creation of LNK, HTA, BAT, CMD, or other script files configured to execute automatically when the user logs in.
Google reports that multiple threat actors have exploited this vulnerability, including UNC4895 (RomCom/CIGAR) targeting Ukraine via phishing emails, APT44 (FROZENBARENTS), TEMP.Armageddon (CARPATHIAN) with activity continuing into 2026, the Turla group (SUMMIT), as well as China-linked actors using it to deploy POISONIVY malware. A particularly concerning trend highlighted in the report is the commercialization of cyber threats. Rather than developing exploits themselves, many attackers are purchasing ready-made exploit kits from underground marketplaces. One seller, using the alias “zeroplayer,” reportedly offered exploits for this vulnerability at prices ranging from USD 80,000 to USD 300,000. This trend significantly lowers the barrier to entry, enabling more threat actors to access high-impact exploitation tools and rapidly launch large-scale attacks against unpatched systems.
