Google Mandiant says a recently patched WinRAR vulnerability is being widely exploited by a growing range of threat actors, expanding from Russian state-linked groups to Chinese espionage actors and financially motivated cybercriminals. The flaw, tracked as CVE-2025-8088, allows attackers to place malicious files on a victim’s system by tricking users into opening specially crafted RAR archives.
The vulnerability was discovered and fixed in July 2025, when RARLAB released WinRAR version 7.13. Despite the patch, attackers began exploiting the bug earlier in July and continue to abuse it in real-world attacks. Mandiant reports that government-backed groups from Russia and China, as well as cybercrime groups, are using the vulnerability against military, government, and technology targets.
Russian-linked threat actors have focused on Ukrainian military and government organizations, using lures related to the war and regional politics. Several groups such as have used the flaw to deliver malware through phishing emails and fake documents, often placing malicious files in the system’s Startup folder to maintain persistence.
UNC4895 (CIGAR), also known as RomCom, operates with both financial and espionage motives and relies on highly customized spearphishing emails, including lures referencing Ukrainian military units, to deliver NESTPACKER (Snipbot) malware.
APT44 (aka FROZENBARENTS and Sandworm) has been observed exploiting CVE-2025-8088 to deploy Ukrainian-themed decoy documents alongside malicious LNK files that enable follow-on payload downloads.
Another threat actor, TEMP.Armageddon (CARPATHIAN), continues targeting Ukrainian government entities through at least January 2026, using HTML files containing nested RAR archives that drop HTA downloaders into the Startup folder to fetch second-stage payloads.
Turla (SUMMIT) has also adopted CVE-2025-8088, leveraging Ukrainian military and drone-related lures to deliver its STOCKSTAY malware suite.
Chinese-linked actors have also used the vulnerability to install spyware, while criminal groups have used it to spread common remote access tools and information-stealing malware. In one case, a Chinese threat actor was observed utilizing the vulnerability to deliver POISONIVY malware via a BAT file dropped into the Startup folder, which then downloads a dropper.
Cybercriminals have used the WinRAR flaw in attacks against businesses and individuals in regions including Indonesia, Latin America, and Brazil. The campaigns have involved fake booking emails, banking-themed lures, and malicious browser extensions designed to steal credentials.
Mandiant says the rapid spread of CVE-2025-8088 shows how quickly effective exploits are shared and sold in underground markets. One seller, known as “zeroplayer,” advertised a WinRAR exploit shortly after the bug was discovered and has also claimed to sell other high-end exploits for popular software and operating systems.