Russian and Chinese state-backed groups and financially motivated actors have been exploiting CVE-2025-8088 in WinRAR to drop malware into Windows Startup folders using a path traversal vulnerability combined with Alternate Data Streams. The flaw remained widely abused months after RARLAB released WinRAR 7.13, with actors like UNC4895 (RomCom), APT44 (FROZENBARENTS), Turla, and commoditizing sellers such as zeroplayer delivering payloads including NESTPACKER/Snipbot, STOCKSTAY, and POISONIVY. #CVE-2025-8088 #WinRAR #RomCom #STOCKSTAY #POISONIVY #zeroplayer
Keypoints
- CVE-2025-8088 is a high-severity WinRAR path traversal vulnerability that abuses Alternate Data Streams to extract hidden payloads to arbitrary locations.
- Attackers commonly drop LNK, BAT, HTA, or CMD files into Windows Startup folders to achieve persistence and automatic execution.
- State-backed groups (UNC4895/RomCom, APT44/FROZENBARENTS, Turla) and criminal actors delivered NESTPACKER/Snipbot, STOCKSTAY, POISONIVY, and commodity RATs via the flaw.
- Proof-of-concept releases and exploit sales by actors like zeroplayer accelerated widespread adoption and commoditization of the exploit.
- Effective defense requires immediate patching (WinRAR 7.13) and threat hunting using published IOCs such as Googleβs VirusTotal collection.
Read More: https://thecyberexpress.com/nation-state-hackers-weaponize-winrar-flaw/