Google disclosed on Tuesday that a number of threat actors, including financially motivated organizations and nation-state adversaries, are taking advantage of a critical security flaw in RARLAB WinRAR that has since been patched in order to gain initial access and launch a wide range of payloads. According to the Google Threat Intelligence Group (GTIG), "government-backed threat actors linked to China and Russia as well as financially motivated threat actors continue to exploit this n-day across disparate operations, despite its discovery and patching in July 2025." "A defensive gap in basic application security and user awareness is highlighted by the consistent exploitation method, a path traversal flaw that permits files to be dropped into the Windows Startup folder for persistence."

The vulnerability in question, CVE-2025-8088 (CVSS score: 8.8), was fixed by WinRAR version 7.13, which was made available on July 30, 2025.

By creating malicious archive files that are opened by a vulnerable version of the program, an attacker may be able to obtain arbitrary code execution if the flaw is successfully exploited. As early as July 18, 2025, the dual financial and espionage-motivated threat group known as RomCom (also known as CIGAR or UNC4895) exploited the flaw as a zero-day to deliver a variant of the SnipBot (also known as NESTPACKER) malware, according to ESET, which found and reported the security flaw.

"Actors like zeroplayer reduce the technical complexity and resource demands for threat actors by providing ready-to-use capabilities, allowing groups with diverse motivations [...] to leverage a diverse set of capabilities." The development highlights the threat posed by N-day vulnerabilities, as multiple threat actors, including GOFFEE, Bitter, and Gamaredon, have attempted to exploit another WinRAR vulnerability (CVE-2025-6218, CVSS score: 7.8).