CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Path Traversal Vulnerability in WinRAR Actively Exploited by Multiple Threat Actors

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, has also exploited the CVE-2025-8088 vulnerability in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Timeline

  1. 04.02.2026 16:00 1 articles · 8h ago

    Amaranth Dragon Exploits WinRAR Flaw in Espionage Attacks

    A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The group combined legitimate tools with the custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure, for more accurate targeting and increased stealth. The attacks involved geofencing and themed lures around geopolitical or local events, demonstrating the group's technical proficiency and operational discipline.

    Show sources
    Open in new tab
  2. 27.01.2026 21:38 3 articles · 8d ago

    Exploitation of WinRAR Vulnerability by State-Sponsored and Financially Motivated Actors

    The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive. When opened, WinRAR extracts the ADS payload using directory traversal, often dropping LNK, HTA, BAT, CMD, or script files that execute on user login. Among the state-sponsored threat actors exploiting CVE-2025-8088 are UNC4895 (RomCom/CIGAR), APT44 (FROZENBARENTS), TEMP.Armageddon (CARPATHIAN), Turla (SUMMIT), and China-linked actors. Financially motivated actors are exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser. The threat actors are believed to have sourced working exploits from specialized suppliers, such as one using the alias "zeroplayer," who advertised a WinRAR exploit last July. The Sandworm (aka APT44 and FROZENBARENTS) group has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads. The Gamaredon (aka CARPATHIAN) group has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage. The Turla (aka SUMMIT) group has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centered around Ukrainian military activities and drone operations. A China-based actor has weaponized CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder that is then configured to download a dropper. A cybercrime group has delivered a malicious Chrome extension capable of injecting JavaScript into the pages of two Brazilian banking sites to serve phishing content and steal credentials. The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars. The supplier "zeroplayer" marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.

    Show sources
    Open in new tab
  3. 11.08.2025 08:54 4 articles · 5mo ago

    WinRAR Path Traversal Vulnerability (CVE-2025-8088) Exploited by Multiple Threat Actors

    A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phantom Stealer Malware Spread via ISO Phishing Emails Targeting Russian Finance Sector

A phishing campaign, codenamed Operation MoneyMount-ISO, is targeting Russian finance and accounting sectors with emails delivering Phantom Stealer malware via malicious ISO files. The campaign uses fake payment confirmation lures to trick recipients into opening a ZIP archive containing an ISO file that launches the malware. Phantom Stealer steals cryptocurrency wallet data, browser credentials, and other sensitive information, exfiltrating data via Telegram bots or Discord webhooks. Additionally, another campaign, DupeHike, targets HR and payroll departments with phishing emails deploying the DUPERUNNER implant, which loads the AdaptixC2 framework. This campaign is attributed to the threat cluster UNG0902. Other campaigns have targeted finance, legal, and aerospace sectors with tools like Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote. The campaign is tracked as Operation MoneyMount-ISO and marks a continued shift toward ISO-based initial access techniques designed to bypass email security controls. The phishing email was written in formal Russian business language and carried the subject line "Подтверждение банковского перевода" or "Confirmation of Bank Transfer." The initial loader decrypted a malicious DLL, which then injected Phantom Stealer into the system while employing extensive anti-analysis checks to evade sandboxes and virtual machines. Targeted sectors included finance, accounting, treasury and payments teams in Russia, procurement, legal and HR or payroll functions, and executive assistants and small or medium-sized enterprises using Russian-language workflows.

Open in new tab

Active Exploitation of 7-Zip Symbolic Link RCE Vulnerability (CVE-2025-11001)

Hackers are actively exploiting a symbolic link-based remote code execution vulnerability (CVE-2025-11001) in 7-Zip, which affects the handling of ZIP files and allows directory traversal. The flaw was patched in version 25.00 released in July 2025. NHS England has observed active exploitation of this vulnerability in the wild. The vulnerability is specific to Windows systems and requires elevated privileges or developer mode to be exploited.

Open in new tab

GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics

GootLoader, a JavaScript-based malware loader, has resurfaced with advanced tactics to evade detection. The malware now uses custom WOFF2 fonts to obfuscate filenames, modifies ZIP files to appear harmless in analysis tools, and employs concatenated ZIP archives of up to 1,000 parts. Since October 27, 2025, three infections have been observed, two of which led to domain controller compromises within 17 hours. GootLoader, linked to the Hive0127 threat actor, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The malware's latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts. The latest findings highlight GootLoader's use of malformed ZIP archives that evade detection by tools like WinRAR or 7-Zip, while still being extractable by the default Windows unarchiver. The malware employs hashbusting techniques, including randomizing values in non-critical fields and concatenating a unique number of files, to evade detection. The ZIP archive is delivered as an XOR-encoded blob, decoded and repeatedly appended to itself on the client-side to evade network-based detection. The JavaScript malware creates a Windows shortcut (LNK) file in the Startup folder to establish persistence and executes a second JavaScript file using cscript.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies. Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script." The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components: a legitimate open-source PDF reader application, a malicious DLL that's sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter, and a RAR file that likely serves as a decoy. The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL side-loading has become an increasingly common technique adopted by threat actors to evade detection and conceal signs of malicious activity by taking advantage of legitimate processes. Over the past week, at least three documented campaigns have leveraged DLL side-loading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity trojans and information stealers. In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone and that alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. ReliaQuest told The Hacker News that the campaign appears to be broad and opportunistic, with activity spanning various sectors and regions. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added. "This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems," the cybersecurity company said. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data." This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors, including those linked to the CryptoCore and Contagious Interview campaigns, have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts. "Social media platforms commonly used by businesses represent a gap in most organizations' security posture," ReliaQuest said. "Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns." "Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls."

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab