Active Exploitation of Critical WinRAR CVE-2025-8088
⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.
