Everybody is WinRAR phishing, dropping RATs as fast as lightning

Steven

Everybody is WinRAR phishing, dropping RATs as fast as lightning

Summary

Attackers of all stripes — nation-state gangs, espionage crews and ordinary cyber‑criminals — continue to exploit a patched WinRAR path traversal flaw (CVE-2025-8088) to deliver information thieves and Remote Access Trojans (RATs).

The vulnerability, scored 8.8 (CVSS v3.1), was fixed in WinRAR 7.13 (30 July 2025), but Google Threat Intelligence Group reports ongoing abuse. Exploits hide payloads using Windows Alternate Data Streams (ADS): malicious RAR archives include a decoy file that, when opened on a vulnerable WinRAR, causes hidden malware to be written to arbitrary locations.

Key Points

  • CVE-2025-8088 is a path traversal bug in WinRAR for Windows; it was patched in version 7.13 on 30 July 2025.
  • Attackers abuse Alternate Data Streams (ADS) to conceal malware inside RAR files; opening the decoy file triggers payload extraction to arbitrary paths.
  • Multiple nation-state actors (including RomCom, APT44/Frozenbarents, Temp.Armageddon/Carpathian and Turla/Summit) are using the exploit — primarily against military, government and tech targets in Ukraine.
  • A PRC-linked group has been observed dropping PoisonIvy via a BAT file placed in the Startup folder, which then fetches a dropper.
  • Financially motivated gangs are using the same vector: targeted phishing with hotel-booking lures, XWorm, AsyncRAT, banking credential stealers and commodity RATs/stealers.
  • An exploit for this WinRAR zero-day was advertised by a threat actor named “zeroplayer” (reported price US$80,000), highlighting how zero-days are commoditised in underground markets.
  • Despite an available patch, the bug remains widely abused — underlining how patching gaps and public exploit availability drive persistent risk.

Context and relevance

This story underscores two ongoing trends: (1) old, widely deployed utilities remain juicy targets because many users delay updates; (2) nation-state and criminal operators increasingly share and monetise exploits, meaning a single flaw can be weaponised across espionage, ransomware and commodity crime.

For organisations and endpoint defenders, this attack chain is especially relevant because it bypasses naive attachment-blocking: the archive contains a benign-looking decoy, while ADS hides the malicious artefact. The result is easy social‑engineering paired with a stealthy write technique that can defeat some detection tools if endpoints are unpatched or poorly monitored.

Why should I read this?

If you run Windows or manage endpoints, listen up — this isn’t hypothetical. Everyone from state-backed espionage crews to garden‑variety crooks is using the same WinRAR flaw to drop RATs and steal data. Patch WinRAR, warn your users about RAR attachments, and check your endpoint detections for ADS and Startup‑folder drops. Basically: don’t be the one who thinks “it won’t happen here.”

Author style

Punchy — the piece cuts straight to the point and emphasises urgency: the bug is patched but still weaponised across many actor types, so the details matter.

Source

Source: https://www.theregister.com/2026/01/28/winrar_bug_under_attack/