Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
First reported
Last updated
Happening score
H score 52
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2025-8088 in WinRAR remains part of an ongoing exploitation wave, with multiple threat groups using the flaw for initial access and payload delivery. The abuse has been observed since July 18, 2025 and continues to affect unpatched WinRAR installations, with attackers leveraging the path-traversal/ADS issue to place malicious files and stage payloads such as LNK, HTA, BAT, CMD, and scripts.

Related Happenings

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Open Happening

Zombie ZIP archive-header evasion technique

Technical Analysis
First: 10.03.2026 22:05 Last: 10.03.2026 22:05 Sources 1

About this happening: **Zombie ZIP** is a new archive-evasion technique that can let payloads slip past **AV and EDR scanning** by abusing ZIP header parsing, making malicious content harder to detect....

Open Happening

Silver Dragon assessed within the APT41 umbrella

Threat Actor Meta
First: 04.03.2026 10:14 Last: 04.03.2026 10:14 Sources 1

About this happening: **Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...

Open Happening

ScarCruft Ruby Jumper campaign

Campaign
First: 27.02.2026 14:43 Last: 27.02.2026 14:43 Sources 1

About this happening: The **ScarCruft**-linked **Ruby Jumper** operation is using a **malicious LNK** infection chain and multi-stage payload delivery to support **surveillance** and attempts to breach...

Open Happening

Google Groups and Google-hosted URL malware campaign targeting global organizations

Campaign
First: 15.02.2026 18:30 Last: 15.02.2026 18:30 Sources 1

About this happening: An active **Google Groups** malware campaign is abusing **Google-hosted URLs** to target **global organizations** and increase trust-based delivery success. Attackers seed legitim...

Open Happening

Timeline

  1. 27.01.2026 21:38 1 articles · 3mo ago

    WinRAR CVE-2025-8088 exploitation begins

    Exploitation Observed

    Google Threat Intelligence Group says exploitation of CVE-2025-8088 in WinRAR started as early as July 18, 2025, with attackers using Alternate Data Streams and directory traversal to write malicious files to arbitrary locations and gain initial access.

    Show sources
    Open in new tab
  2. 27.01.2026 21:38 3 articles · 3mo ago

    Google broadens the WinRAR exploitation picture

    Campaign Scope Update

    On January 27, 2026, Google Threat Intelligence Group reported that CVE-2025-8088 exploitation continued from both state-backed espionage actors and lower-tier, financially motivated cybercriminals, and it also noted that ESET had reported in early August 2025 that RomCom was exploiting the flaw in zero-day attacks.

    Show sources
    Open in new tab