CVE-2025-8088 WinRAR and the threat of hidden ADS

In recent months a sad but certain rule of the world of cybersecurity has been reestablished: a single well-used vulnerability can open many doors. The failure known as CVE-2025-8088 In WinRAR, a route travel failure combined with the use of NTFS's Alternate Data Streams (ADS) has been exploited by both state-supported groups and by profit-oriented cyber-criminal bands, and the result has been the delivery of all kinds of malware with very different objectives and techniques.

To understand why this failure has caused so much flare, you have to first clarify what ADS are. In NTFS file systems there is the possibility to attach alternative data flows to the same file; they are invisible to the typical user and have been used legitimately for years, but they can also be used to hide malicious code within a seemingly harmless file. Microsoft devotes technical documentation to these structures on its development site, and is a good starting point to understand the problem: Alternate Data Streams (Microsoft).

The operating vector described by the researchers is to create a file (e.g. a .rar) containing a legitimate document that serves as a decoy and, together with it, ADS entries with hidden loads. When WinRAR removes the content, a bad route validation allows you to take these ADS inputs out of the container and write them into arbitrary system locations, including automatic start folders. These loads are usually materialized as direct accesses (.LNK), HTA files, .BT / .CMD scripts, or small downloads that run when you log into Windows, giving the attacker persistently.

The first public notification of active use of this failure came from ESET researchers who identified attacks attributed to a group aligned with Russia known as RomCom (also called CIGAR or UNC4895). The Google threat intelligence team subsequently documented that the farms began to be observed since mid-July 2025 and that the activity continues, starring both state and criminal actors who pursue economic gain. The Google analysis is available in more technical details and examples in its publication: Google Threat Intelligence Group - Exploiting a critical WinRAR vulnerability.

The observed schemes are varied. Among the motivated espionage campaigns, shipments have been documented to Ukrainian military units with lures in Ukrainian language, deployments of malware families such as STOCKSTAY or NESTPACKER (also known as Snipbot), and the placement of HTA discards in start folders that maintain persistent access even after rebeginnings. Other actors linked to China have taken the same route to leave batch files (.BT) that in turn download and activate components like POISONIVY. In parallel, cybercrime bands have used vulnerability to distribute remote access tools and trojan information like XWorm or AsyncrAT, malicious browser extensions oriented to bank theft and Telegram bots-controlled back doors.

One of the factors that facilitates this spread is the existence of a market for exploits: specialized vendors offer third parties functional code to exploit price vulnerabilities that, according to reports, can become very high. Google and other security firms interpret this dynamic as the Marketing of explosives, a phenomenon that reduces the technical barrier for less sophisticated actors to effectively attack unpatched systems.

From a defensive point of view, the most direct recommendation is to apply patches as soon as possible: if you have WinRAR installed, search and update to the version corrected by the supplier. In addition, it is appropriate to reduce exposure to this vector by avoiding opening compressed files received from unverified senders and by setting up policies that prevent the automatic execution of files from temporary extraction locations or the unsupervised start folder. Endpoints protection tools capable of detecting unusual scriptures in critical folders and monitoring the creation of direct access and HTA also help to detect persistent attempts.

Organizations and administrators can complement these measures with application controls and permit restrictions: maintain limited privileges for user accounts, apply white implementation lists where feasible and update detection mechanisms in EDR / AV solutions with the signatures and rules provided by suppliers. For public and private security officials, it is recommended to follow the notices and catalogues of active vulnerabilities, such as that of the NVD for the entry of CVE ( CVE-2025-8088 - NVD) and the collection of actively exploited vulnerabilities published by CISA ( CISA - KEV catalog).

While much of the attention falls to WinRAR, the problem of the background is broader: attackers combine concealment techniques in the file system with operating chains and services sold in the clandestine market to achieve rapid and persistent access to valuable objectives. The lesson for managers and users is clear: keeping up-to-date software, limiting the automatic execution of content and complementing these good practices with coordinated detection and response substantially reduces the risk that they represent such failures as CVE-2025-8088.

For those who want to deepen the indicators and tactics observed by researchers, ESET and Google teams publish technical and contextual analyses that help to identify patterns and design more effective detection rules. The ESET research page is a good point for finding related studies: ESET - WeLiveSecurity and the Google report provides concrete examples of how the chain of exploitation is built: GTIG - farm analysis.