See Full Article: https://www.scworld.com/news/microsoft-windows-file-archival-tool-winrar-exploited-worldwide
The Google Threat Intelligence Group (GTIG) has identified a widespread active exploitation of the popular WinRAR file archiver tool for Windows targeting industry and government sectors worldwide.
Security experts believe GTIG brought the high-severity vulnerability to the industry’s attention because exploitation has continued long after a patch was released in July, and new campaigns tied to government-backed threat actors linked to Russia and China are still emerging.
In its Jan. 27 blog post, GTIG researchers said the bug — CVE-2025-8088 — was an n-day path traversal flaw that lets attackers drop malware files into the Windows Startup folder for persistence.
Michael Bell, founder and CEO at Suzu Labs, said the vulnerability exploits how WinRAR handles Windows Alternate Data Streams (ADS) during extraction. Attackers craft an archive where the visible file is a harmless PDF, but Bell said the ADS attached to it contains a malicious shortcut or script.
“When you open the archive, WinRAR follows a path traversal in the ADS entry and drops that payload directly into your Windows Startup folder, said Bell. “WinRAR has more than 500 million users and most of them don't think twice about opening archives. The payload executes without any additional user interaction beyond opening the RAR and logging back in. No macro warnings, no ‘enable content’ prompts. Just persistence."