Cybercriminals and nation-state groups are exploiting a six-month old WinRAR defect | CyberScoop<\/title> <meta name=\"description\" content=\"Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/winrar-defect-active-exploits-google-threat-intel\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Cybercriminals and nation-state groups are exploiting a six-month old WinRAR defect\"> <meta property=\"og:description\" content=\"Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/winrar-defect-active-exploits-google-threat-intel\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-27T23:53:17+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-27T23:53:20+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1768841770g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87579\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87579\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fwinrar-defect-active-exploits-google-threat-intel%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fwinrar-defect-active-exploits-google-threat-intel%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87579 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/winrar-defect-active-exploits-google-threat-intel\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.833693304536\">\n<div class=\"single-article__header-content\" readability=\"35.19512195122\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/winrar-defect-active-exploits-google-threat-intel\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87579\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"274\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect.jpg?resize=640%2C274&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Binary code depicted in waves.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg 2644w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=300,129 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=768,329 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=1024,439 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=1536,658 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=2048,878 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=600,257 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=1200,514 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-2.jpg?resize=1500,643 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Binary code depicted in waves. (iStock\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.044721788872\"><body readability=\"68.08630054315\"><\/p>\n<p>Google Threat Intelligence Group warned that a <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/exploiting-critical-winrar-vulnerability\">diverse and growing collection of attackers<\/a>, including nation-state groups and financially motivated cybercriminals, are exploiting a path-traversal vulnerability affecting WinRAR that was disclosed and patched six months ago.<\/p>\n<p>The high-severity vulnerability \u2014 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-8088\">CVE-2025-8088<\/a> \u2014 was exploited in the wild almost two weeks before RARLAB, the vendor behind the file archiver tool, addressed the vulnerability in a <a href=\"https:\/\/www.win-rar.com\/singlenewsview.html\">software update<\/a> in late July. <\/p>\n<p>Active exploitation of the vulnerability has consistently extended to more threat groups during the past six months and remains ongoing. Google threat hunters have attributed attacks to at least three financially motivated attackers, four Russia state-sponsored groups and one attacker based in China. <\/p>\n<p>\u201cGovernment-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,\u201d Google said in a threat intelligence report Tuesday. Researchers did not say how many attacks are linked to the vulnerability but described the activity as widespread.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage, researchers said. Groups backed by Russia are targeting Ukrainian military and government entities while the China-based attacker\u2019s targets remain unknown. <\/p>\n<p>Cybercriminals are swarming to exploit the vulnerability, too. Google traced campaigns back to groups that previously targeted victims in Indonesia, Latin America and Brazil. Cybercrime groups exploited the vulnerability in December and January to deploy malware, including remote access trojans and infostealers.<\/p>\n<p>Google published a timeline of observed exploitation depicting a broad set of attackers involved through October, but the majority of malicious activity since late 2025 is attributed to cybercriminals. <\/p>\n<p>Attacks share a common method of exploitation, which was rapidly adopted by a range of threat groups. <\/p>\n<p>\u201cWe are seeing both government-backed groups and financially motivated actors use the same exploitation method to achieve successful execution on target devices,\u201d GTIG said in an email. \u201cThis mechanism of crafting a malicious RAR archive makes it more difficult for victims to determine they\u2019ve been impacted, as they are shown a benign decoy file while in the background it silently drops a malicious payload into a critical system location such as Windows Startup folder.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The malware requires no user interaction and because there are no obvious indicators of compromise, the malicious activity is very difficult to spot, researchers said.<\/p>\n<p>Attackers of various objectives are flocking to the vulnerability, reminiscent of <a href=\"https:\/\/blog.google\/threat-analysis-group\/government-backed-actors-exploiting-winrar-vulnerability\/\">widespread exploitation of a previous WinRAR defect<\/a> \u2014 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-38831\">CVE-2023-38831<\/a> \u2014 that Google\u2019s Threat Analysis Group warned about in October 2023. <\/p>\n<p>\u201cThe barrier to entry for threat actors to abuse WinRAR vulnerabilities is low, as there are public ready-to-use tools to quickly craft and test malicious archives,\u201d researchers said. Google urged organizations to install security updates for WinRAR and published indicators of compromise to help defenders hunt for malicious activity on their systems.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.3983050847458\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/winrar-defect-active-exploits-google-threat-intel\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals and nation-state groups are exploiting a six-month old WinRAR<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[271,282,78,387,3729,281,2538,3707,3332,256,270,288,2281,5857],"tags":[277,286,86,391,3731,285,2540,3708,3336,262,276,294,2283,5858],"class_list":["post-8303","post","type-post","status-publish","format-standard","hentry","category-china","category-cybercrime","category-cybersecurity","category-google","category-google-threat-intelligence-group","category-hacking","category-n-day","category-nation-state-threats","category-nation-state-hackers","category-research","category-russia","category-threats","category-vulnerability","category-winrar","tag-china","tag-cybercrime","tag-cybersecurity","tag-google","tag-google-threat-intelligence-group","tag-hacking","tag-n-day","tag-nation-state-threats","tag-nation-state-hackers","tag-research","tag-russia","tag-threats","tag-vulnerability","tag-winrar"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/n-day\/\" rel=\"category tag\">n-day<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nation-state-threats\/\" rel=\"category tag\">nation state threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nation-state-hackers\/\" rel=\"category tag\">nation-state hackers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability\/\" rel=\"category tag\">vulnerability<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/winrar\/\" rel=\"category tag\">WinRAR<\/a>","tag_info":"WinRAR","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8303"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8303\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8303,"date":"2026-01-27T17:53:17","date_gmt":"2026-01-27T23:53:17","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87579"},"modified":"2026-01-27T17:53:17","modified_gmt":"2026-01-27T23:53:17","slug":"cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/27\/cybercriminals-and-nation-state-groups-are-exploiting-a-six-month-old-winrar-defect\/","title":{"rendered":"Cybercriminals and nation-state groups are exploiting a six-month old WinRAR defect"},"content":{"rendered":"