The “Zeroplayer” Arsenal: WinRAR Flaw CVE-2025-8088 Weaponized by Spies

A critical vulnerability in one of the world’s most popular file archivers has become a favorite weapon for government spies and cybercriminals alike. The Google Threat Intelligence Group (GTIG) has released a startling report detailing the widespread exploitation of CVE-2025-8088, a high-severity flaw in WinRAR that allows attackers to bypass security defenses and plant malware deep within a victim’s system.

Despite a patch being released in July 2025, the report highlights a “defensive gap in fundamental application security,” as actors linked to Russia and China continue to leverage this “n-day” vulnerability to target military, government, and commercial sectors globally.

The vulnerability, tracked as CVE-2025-8088, is a path traversal flaw that exploits a Windows feature known as Alternate Data Streams (ADS). This mechanism allows attackers to hide malicious code inside what appears to be a harmless file.

“The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive,” the report explains.

When an unsuspecting user opens a modified RAR archive—perhaps thinking they are viewing a PDF document—the exploit triggers silently. “The payload is written with a specially crafted path designed to traverse to a critical directory, frequently targeting the Windows Startup folder for persistence”.

This means the malware doesn’t just run once; it installs itself to launch automatically every time the computer is turned on.

GTIG’s investigation reveals a list of the cyber threat landscape actively using this exploit.

• Russia-Nexus Actors: Groups like UNC4895 (RomCom), APT44, and Turla have been spotted using the exploit to target Ukrainian military and government entities. “Suspected Russia-nexus threat groups are consistently exploiting CVE-2025-8088 in campaigns targeting Ukrainian military and government entities, using highly tailored geopolitical lures”.
• China-Nexus Actors: A PRC-based actor was observed using the flaw to deliver the POISONIVY malware via a batch file dropped into the Startup folder.
• Cybercriminals: Financially motivated groups are also cashing in. Attackers targeting the LATAM hospitality sector used the bug to deliver XWorm and AsyncRAT, while others targeted Brazilian banking users with malicious Chrome extensions.

The widespread adoption of this exploit is partly driven by suppliers like “zeroplayer,” a threat actor specializing in high-end, expensive vulnerabilities.

“The WinRAR vulnerability is not the only exploit in zeroplayer’s arsenal,” the report notes. This actor has been observed selling top-tier cyberweapons to the highest bidder, including:

• A $300,000 sandbox escape for Microsoft Office.
• A $100,000 Local Privilege Escalation (LPE) exploit for Windows.
• An $80,000 exploit capable of disabling antivirus and EDR software.

“zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle,” the researchers warn.

The vulnerability was addressed with the release of WinRAR version 7.13 on July 30, 2025. However, the persistence of attacks months later proves that many organizations are falling behind on updates.

GTIG urges users to update their software immediately, noting that “After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage”.

Related Posts:

• WinRAR Update: Zero-Day Path Traversal Flaw (CVE-2025-8088) Actively Exploited to Deliver Malware
• China-Nexus Autumn Dragon APT Exploits WinRAR Flaw to Deploy Telegram C2 Backdoor
• Warning: Fake WinRar Websites Distributing Malware
• Facebook and thousands of companies are spying on you