A critical WinRAR vulnerability known as CVE-2025-8088 is being actively exploited by several threat actors to obtain and retain access to Windows systems, according to a warning from Google's Threat Intelligence Group (GTIG). The vulnerability was first found and fixed in July 2025, but it is still exploited as a "n-day" vulnerability against unpatched organizations. The bug is being used as a dependable initial access vector and persistence mechanism by both financially motivated cybercriminals and government-backed organizations associated with China and Russia.

According to Google, one of the main defensive gaps highlighted by this continuous activity is slow patching and low user awareness of archive tools. How CVE-2025-8088 Operates Attackers use Windows Alternate Data Streams (ADS) to take advantage of a high-severity path traversal vulnerability in WinRAR.

Using lure documents and this vulnerability, one group targeting Indonesian entities dropped a.cmd file into the Startup folder. This file then pulled a password-protected RAR archive from Dropbox that contained a backdoor that communicates with a Telegram bot-based command-and-control channel. Phishing emails with hotel booking themes have been used by another actor targeting the travel and hospitality industries in Latin America to eventually distribute RATs like XWorm and AsyncRAT.

By disseminating a malicious Chrome extension that inserts JavaScript into the pages of two local banks in order to steal credentials through phishing overlays, a different group has targeted Brazilian banking users. An expanding underground ecosystem of exploit suppliers is responsible for this widespread adoption.

GTIG focuses on "zeroplayer," an actor with a history of selling expensive zero-days and who promoted a WinRAR exploit in July 2025.