CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Path Traversal Vulnerability in WinRAR Actively Exploited by Multiple Threat Actors

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, has also exploited the CVE-2025-8088 vulnerability in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Timeline

  1. 04.02.2026 16:00 1 articles · 23h ago

    Amaranth Dragon Exploits WinRAR Flaw in Espionage Attacks

    A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The group combined legitimate tools with the custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure, for more accurate targeting and increased stealth. The attacks involved geofencing and themed lures around geopolitical or local events, demonstrating the group's technical proficiency and operational discipline.

    Show sources
    Open in new tab
  2. 27.01.2026 21:38 3 articles · 8d ago

    Exploitation of WinRAR Vulnerability by State-Sponsored and Financially Motivated Actors

    The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive. When opened, WinRAR extracts the ADS payload using directory traversal, often dropping LNK, HTA, BAT, CMD, or script files that execute on user login. Among the state-sponsored threat actors exploiting CVE-2025-8088 are UNC4895 (RomCom/CIGAR), APT44 (FROZENBARENTS), TEMP.Armageddon (CARPATHIAN), Turla (SUMMIT), and China-linked actors. Financially motivated actors are exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser. The threat actors are believed to have sourced working exploits from specialized suppliers, such as one using the alias "zeroplayer," who advertised a WinRAR exploit last July. The Sandworm (aka APT44 and FROZENBARENTS) group has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads. The Gamaredon (aka CARPATHIAN) group has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage. The Turla (aka SUMMIT) group has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centered around Ukrainian military activities and drone operations. A China-based actor has weaponized CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder that is then configured to download a dropper. A cybercrime group has delivered a malicious Chrome extension capable of injecting JavaScript into the pages of two Brazilian banking sites to serve phishing content and steal credentials. The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars. The supplier "zeroplayer" marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.

    Show sources
    Open in new tab
  3. 11.08.2025 08:54 4 articles · 5mo ago

    WinRAR Path Traversal Vulnerability (CVE-2025-8088) Exploited by Multiple Threat Actors

    A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns

Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

Open in new tab

Infy APT Resurfaces with Updated Malware and Expanded Targeting

The Iranian APT group Infy (Prince of Persia) has resumed activity after years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage. The latest findings reveal that Infy has been active since at least 2004, leveraging malware like Foudre and Tonnerre to profile and exfiltrate data from high-value machines. The group's recent activities include using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50), with the latest Tonnerre version detected in September 2025. Infy stopped maintaining its C2 servers on January 8, 2026, coinciding with an internet blackout in Iran, and resumed activity on January 26, 2026, setting up new C2 servers the day before internet restrictions were relaxed. The group has introduced Tornado version 51, which uses both HTTP and Telegram for C2 communication, and has weaponized a 1-day security flaw in WinRAR to extract the Tornado payload on a compromised host. Additionally, Infy has used a malicious ZIP file to drop ZZ Stealer, which loads a custom variant of the StormKitty infostealer, and there is a strong correlation between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository.

Open in new tab

Phantom Stealer Malware Spread via ISO Phishing Emails Targeting Russian Finance Sector

A phishing campaign, codenamed Operation MoneyMount-ISO, is targeting Russian finance and accounting sectors with emails delivering Phantom Stealer malware via malicious ISO files. The campaign uses fake payment confirmation lures to trick recipients into opening a ZIP archive containing an ISO file that launches the malware. Phantom Stealer steals cryptocurrency wallet data, browser credentials, and other sensitive information, exfiltrating data via Telegram bots or Discord webhooks. Additionally, another campaign, DupeHike, targets HR and payroll departments with phishing emails deploying the DUPERUNNER implant, which loads the AdaptixC2 framework. This campaign is attributed to the threat cluster UNG0902. Other campaigns have targeted finance, legal, and aerospace sectors with tools like Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote. The campaign is tracked as Operation MoneyMount-ISO and marks a continued shift toward ISO-based initial access techniques designed to bypass email security controls. The phishing email was written in formal Russian business language and carried the subject line "Подтверждение банковского перевода" or "Confirmation of Bank Transfer." The initial loader decrypted a malicious DLL, which then injected Phantom Stealer into the system while employing extensive anti-analysis checks to evade sandboxes and virtual machines. Targeted sectors included finance, accounting, treasury and payments teams in Russia, procurement, legal and HR or payroll functions, and executive assistants and small or medium-sized enterprises using Russian-language workflows.

Open in new tab

Active Exploitation of 7-Zip Symbolic Link RCE Vulnerability (CVE-2025-11001)

Hackers are actively exploiting a symbolic link-based remote code execution vulnerability (CVE-2025-11001) in 7-Zip, which affects the handling of ZIP files and allows directory traversal. The flaw was patched in version 25.00 released in July 2025. NHS England has observed active exploitation of this vulnerability in the wild. The vulnerability is specific to Windows systems and requires elevated privileges or developer mode to be exploited.

Open in new tab

GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics

GootLoader, a JavaScript-based malware loader, has resurfaced with advanced tactics to evade detection. The malware now uses custom WOFF2 fonts to obfuscate filenames, modifies ZIP files to appear harmless in analysis tools, and employs concatenated ZIP archives of up to 1,000 parts. Since October 27, 2025, three infections have been observed, two of which led to domain controller compromises within 17 hours. GootLoader, linked to the Hive0127 threat actor, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The malware's latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts. The latest findings highlight GootLoader's use of malformed ZIP archives that evade detection by tools like WinRAR or 7-Zip, while still being extractable by the default Windows unarchiver. The malware employs hashbusting techniques, including randomizing values in non-critical fields and concatenating a unique number of files, to evade detection. The ZIP archive is delivered as an XOR-encoded blob, decoded and repeatedly appended to itself on the client-side to evade network-based detection. The JavaScript malware creates a Windows shortcut (LNK) file in the Startup folder to establish persistence and executes a second JavaScript file using cscript.

Open in new tab