Overview
- Google Threat Intelligence Group’s latest analysis says attacks that began before WinRAR’s July 30, 2025 patch remain active into early 2026, with cybercriminal use rising since late 2025.
- State-backed operators exploiting CVE-2025-8088 include RomCom/UNC4895, APT44, TEMP. Armageddon, and Turla targeting Ukrainian military and government entities, alongside a China-linked actor.
- Financially motivated campaigns have deployed XWorm, AsyncRAT, Telegram-controlled backdoors, and a malicious Chrome banking extension across Brazil, Latin America, and Indonesia.
- The common technique hides payloads in Alternate Data Streams within decoy archives and uses path traversal to place LNK, HTA, or BAT files in Startup, offering execution with few visible signs to victims.
- Google published indicators of compromise and urges upgrading to WinRAR 7.13, while exploit sellers such as “zeroplayer” have marketed working kits that lowered the barrier for rapid adoption.