Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088

Jan. 29, 2026, 9:18 p.m.

Description

CVE-2025-8088 is a high-severity path traversal vulnerability in WinRAR that attackers exploit by leveraging Alternate Data Streams (ADS). Adversaries can craft malicious RAR archives which, when opened by a vulnerable version of WinRAR, can write files to arbitrary locations on the system. Exploitation of this vulnerability in the wild began as early as July 18, 2025, and the vulnerability was addressed by RARLAB with the release of WinRAR version 7.13 shortly after, on July 30, 2025.

External References

https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
https://otx.alienvault.com/pulse/697bcc53ac906b4ef070c633
Tags
phishing
russia
winrar
2026-01-29
nestpacker
stockstay
unc4895
windows startup

Date

  • Created: Jan. 29, 2026, 9:08 p.m.
  • Published: Jan. 29, 2026, 9:08 p.m.
  • Modified: Jan. 29, 2026, 9:18 p.m.

Indicators

  • bb4856a66bf7e0de18522e35798c0a8734179c1aab21ed2ad6821aaa99e1cb4c
  • edc1f7528ca93ec432daca820f47e08d218b79cceca1ee764966f8f90d6a58bd
  • 4f4567abe9ff520797b04b04255bbbe07ecdddb594559d436ac53314ec62c1b3
  • 29f89486bb820d40c9bee8bf70ee8664ea270b16e486af4a53ab703996943256
  • fc2a6138786fae4e33dc343aea2b1a7cd6411187307ea2c82cd96b45f6d1f2a0
  • c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c
  • ba86b6e0199b8907427364246f049efd67dc4eda0b5078f4bc7607253634cf24
  • d981a16b9da1615514a02f5ebb38416a009f5621c0b718214d5b105c9f552389
  • 54305c7b95d8105601461bb18de87f1f679d833f15e38a9ee7895a0c8605c0d0
  • ae93d9327a91e90bf7744c6ce0eb4affb3acb62a5d1b2dafd645cba9af28d795
  • a97f460bfa612f1d406823620d0d25e381f9b980a0497e2775269917a7150f04
  • 53f1b841d323c211c715b8f80d0efb9529440caae921a60340de027052946dd9
  • 958921ea0995482fb04ea4a50bbdb654f272ab991046a43c1fdbd22da302d544
  • ed5b920dad5dcd3f9e55828f82a27211a212839c8942531c288535b92df7f453
  • b53069a380a9dd3dc1c758888d0e50dd43935f16df0f7124c77569375a9f44f5
  • 55b3dc57929d8eacfdadc71d92483eabe4874bf3d0189f861b145705a0f0a8fe
  • cf8ebfd98da3025dc09d0b3bbeef874d8f9c4d4ba4937719f0a9a3aa04c81beb
  • 6d3586aa6603f1c1c79d7bd7e0b5c5f0cc8e8a84577c35d21b0f462656c2e1f9
  • 272c86c6db95f1ef8b83f672b65e64df16494cae261e1aba1aeb1e59dcb68524
  • 91e61fd77460393a89a8af657d09df6a815465f6ce22f1db8277d58342b32249
  • f6761b5341a33188a7a1ca7a904d5866e07b8ddbde9adebdbce4306923cfc60a
  • ddd67dda5d58c7480152c9f6e8043c3ea7de2e593beedf86b867b83f005bf0cc
  • cf35ce47b35f1405969f40633fcf35132ca3ccb3fdfded8cc270fc2223049b80
  • 5b64786ed92545eeac013be9456e1ff03d95073910742e45ff6b88a86e91901b
  • b90ef1d21523eeffbca17181ccccf269bca3840786fcbf5c73218c6e1d6a51a9
  • a54bcafd9d4ece87fa314d508a68f47b0ec3351c0a270aa2ed3a0e275b9db03c
  • 867a05d67dd184d544d5513f4f07959a7c2b558197c99cb8139ea797ad9fbece
  • 2c40e7cf613bf2806ff6e9bc396058fe4f85926493979189dbdbc7d615b7cb14
  • f3e5667d02f95c001c717dfc5a0e100d2b701be4ec35a3e6875dc276431a7497
  • 498961237cf1c48f1e7764829818c5ba0af24a234c2f29c4420fb80276aec676
  • ef0e1bb2d389ab8b5f15d2f83cf978662e18e31dbe875f39db563e8a019af577
  • b2b62703a1ef7d9d3376c6b3609cd901cbccdcca80fba940ce8ed3f4e54cdbe6
  • 5dee69127d501142413fb93fd2af8c8a378682c140c52b48990a5c41f2ce3616
  • d418f878fa02729b38b5384bcb3216872a968f5d0c9c77609d8c5aacedb07546
  • 3b47df790abb4eb3ac570b50bf96bb1943d4b46851430ebf3fc36f645061491b
  • 3b85d0261ab2531aba9e2992eb85273be0e26fe61e4592862d8f45d6807ceee4
  • ffc6c3805bbaef2c4003763fd5fac0ebcccf99a1656f10cf7677f6c2a5d16dbd
  • defe25e400d4925d8a2bb4b1181044d06a8bf61688fd9c9ea59f1e0bb7bc21d8
  • aea13e5871b683a19a05015ff0369b412b985d47eb67a3af93f44400a026b4b0
  • 33580073680016f23bf474e6e62c61bf6a776e561385bfb06788a4713114ba9d
  • e836873479ff558cfb885097e8783356aad1f2d30b69d825b3a71cb7a57cf930
  • 68d9020aa9b509a6d018d6d9f4c77e7604a588b2848e05da6a4d9f82d725f91b
  • 8a7ee2a8e6b3476319a3a0d5846805fd25fa388c7f2215668bc134202ea093fa
  • ea0869fa9d5e23bdd16cddfefbbf9c67744598f379be306ff652f910db1ba162
Download all indicators here!

Attack Patterns

  • STOCKSTAY
  • NESTPACKER
  • UNC4895

Additional Informations

  • Defense ministries (including the military)
  • Government and administrations
  • Technologies

Linked vulnerabilities

CVE-2023-38831

None
Published:

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025

CVE-2025-8088

None
Published: