Alexander Culafi , Senior News Writer , Dark Reading January 28, 2026 4 Min Read Source: Alina Vytiuk via Alamy Stock Photo A wide range of adversaries including state-sponsored actors are targeting a vulnerability in popular file extraction software WinRAR that was addressed last year. The vulnerability impacts a wide range of organizations and could weigh heaviest on small and midsized businesses. Google Threat Intelligence Group (GTIG) yesterday published a research blog post regarding CVE-2025-8088, a high-severity flaw discovered by ESET and disclosed last August. According to the bug's National Vulnerability Database listing , CVE-2025-8088 is a "path traversal vulnerability affecting the Windows version of WinRAR [that] allows the attackers to execute arbitrary code by crafting malicious archive files." WinRAR is a popular cross-platform file extraction software used by hundreds of millions of users, including individuals and organizations across multiple sizes and sectors. In addition to its mammoth and diverse userbase, WinRAR is also very accessible. The software famously has an indefinite free-trial period that has put it on millions of devices, regardless of whether users know it's there. Douglas McKee, director of vulnerability intelligence at Rapid7, says the last bit is "arguably the most dangerous aspect of this vulnerability." "WinRAR often sits quietly on systems for years, rarely used, rarely updated, and rarely thought of as part of the attack surface. Users may diligently patch their operating system and browser while a vulnerable archive utility remains completely untouched," McKee tells Dark Reading. "From an attacker's perspective, forgotten software is ideal: it's trusted, unmonitored, and only needs to be invoked once at the right moment. That combination makes dormant tools like WinRAR a persistent and often overlooked risk." He adds that the users most vulnerable are small and midsized businesses as well as professionals in roles that regularly exchange compressed files as part of normal operations; attackers tend to focus on positions where opening files is part of the job. "This risk is amplified in organizations where software like WinRAR is widely installed but rarely managed, audited, or updated. Employees in technical, operational, or administrative roles may trust archive files implicitly, especially when they appear to come from a known partner or internal workflow," McKee explains. "That combination shows up frequently in targeted attacks, not because the users are careless, but because the job itself requires trust in shared files." WinRAR Bug CVE-2025-8088 Under Attack At the time it was disclosed, ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček observed that the high-severity (8.4 CVSS) vulnerability had been exploited in the wild by threat actors including the Russia-aligned group RomCom . WinRAR patched the vulnerability in its July 30, 2025, release, but according to GTIG, threat actors are still at work several months later. Exploitation of CVE-2025-8088 is both widespread and active, Google said in its research. On the espionage front, threat actors from China and Russia are exploiting the vulnerability, with the latter using it to target Ukrainian entities. On the financial end, Google detailed multiple threat actors across the world using (and continuing to use) CVE-2025-8088 to "deploy commodity RATs and information stealers against commercial targets." Threat actors began exploiting the flaw as early as July 18, 2025, with attackers crafting malicious RAR files containing other malicious files that lean on a metadata feature in Windows known as Alternate Data Streams (ADS) . "The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive. While the user typically views a decoy document (such as a PDF) within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," GTIG said. "The payload is written with a specially crafted path designed to traverse to a critical directory, frequently targeting the Windows Startup folder for persistence," the researchers said. "When the archive is opened, the ADS content (malicious.lnk) is extracted to the destination specified by the traversal path, automatically executing the payload the next time the user logs in." Google urged unpatched users and organizations to update their WinRAR instances immediately, and to familiarize themselves with the exploiting actors' "predictable" tactics, techniques, and procedures. GTIG's blog includes indicators of compromise. A researcher with Google Threat Intelligence Group tells Dark Reading that any unpatched software increases a machine's attack surface. "We urge organizations and users to keep software, including software obtained by free trials, fully up to date and to install security updates as soon as they become available," the researcher says. Dark Reading contacted WinRAR for additional comment. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi