The GTIG reported widespread exploitation of CVE-2025-8088 in WinRAR using Alternate Data Streams and path traversal to drop payloads into the Windows Startup folder for persistence across state-sponsored and financially motivated campaigns. Defenders are urged to patch immediately and hunt for indicators such as malicious RAR archives, LNK/HTA/BAT/CMD payloads, and the provided SHA-256 hashes. #CVE-2025-8088 #WinRAR
Keypoints
- GTIG observed active exploitation of CVE-2025-8088 (WinRAR) beginning mid-July 2025, patched in WinRAR 7.13 on July 30, 2025.
- Attackers abuse Alternate Data Streams (ADS) combined with directory traversal to write hidden payloads into arbitrary paths, frequently the Windows Startup folder for persistence.
- Both government-backed (Russia- and China-nexus) and financially motivated actors adopted the exploit to deliver diverse payloads including NESTPACKER (Snipbot), STOCKSTAY, POISONIVY, XWorm, and AsyncRAT.
- Actors used various payload container and loader types: malicious .lnk, .hta, .bat, .cmd, and Chrome extension loaders; some campaigns download additional stages from services like Dropbox.
- The underground exploit market (example actor “zeroplayer”) rapidly commoditized the WinRAR exploit, accelerating adoption across threat actor types.
- GTIG published numerous IOCs (filenames and SHA-256 hashes) and recommends immediate patching, use of Safe Browsing/Gmail protections, and hunting for predictable post-exploitation TTPs.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – CVE-2025-8088 was exploited to achieve initial access by crafting malicious RAR archives that write files to arbitrary locations (‘CVE-2025-8088 is a high-severity path traversal vulnerability in WinRAR that attackers exploit by leveraging Alternate Data Streams (ADS)’).
- [T1204.002 ] User Execution: Malicious File – Users open decoy documents within archives while malicious ADS entries are extracted and executed (‘While the user typically views a decoy document (such as a PDF) within the archive, there are also malicious ADS entries…’).
- [T1564.001 ] Hide Artifacts: Hidden Files and Directories (Alternate Data Streams) – Adversaries conceal payloads inside ADS of decoy files to hide malicious content (‘concealing the malicious file within the ADS of a decoy file inside the archive’).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Exploits use path traversal to drop LNK/HTA/BAT/CMD into the Windows Startup folder to achieve persistence (‘path designed to traverse to a critical directory, frequently targeting the Windows Startup folder for persistence’).
- [T1105 ] Ingress Tool Transfer – Downloaders and scripts drop additional stages or retrieve password-protected archives from external hosts (e.g., ‘This script then downloads a password-protected RAR archive from Dropbox’).
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Campaigns use .bat/.cmd scripts as initial or secondary downloaders and execution vectors (‘POISONIVY malware via a BAT file dropped into the Startup folder’ and ‘drop a .cmd file into the Startup folder. This script then downloads…’).
- [T1218.005 ] Signed Binary Proxy Execution: Mshta – HTA files are used as downloaders for second-stage payloads, leveraging mshta execution paths for persistence and download behavior (‘uses RAR archives to drop HTA files into the Startup folder. The HTA file acts as a downloader for a second stage’).
Indicators of Compromise
- [SHA-256 ] Malicious archive and payload hashes – 272c86c6db95f1ef8b83f672b65e64df16494cae261e1aba1aeb1e59dcb68524, 33580073680016f23bf474e6e62c61bf6a776e561385bfb06788a4713114ba9d, and 30+ other hashes listed in the GTI collection.
- [Filename ] Malicious archive and payload filenames observed in campaigns – 1_14_5_1472_29.12.2025.rar, 2_16_9_1087_16.01.2026.rar, and other RAR archives used to deliver hidden ADS payloads.
- [Filename ] Dropped launcher and script filenames – Desktop_Internet.lnk, update.bat, 3-965_26.09.2025.HTA, and підtверджуючі документи.pdf (decoy with ADS) observed as payloads or decoys.
- [File extension ] Common payload types used for persistence and downloaders – .lnk, .hta, .bat, .cmd, .rar, .pdf (decoy), and malicious Chrome extension installers used for credential theft.
- [Domain ] External hosting used for secondary payload retrieval – Dropbox (example: password-protected RAR downloaded from Dropbox) referenced as a hosting location for follow-on stages (e.g., dropbox[.]com).
Read more: https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability/