Exploit Chain Mechanics
The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive. When opened, WinRAR extracts the ADS payload using directory traversal, often dropping LNK, HTA, BAT, CMD, or script files that execute on user login.
Observed Threat Actors
Google researchers observed state-sponsored threat actors exploiting CVE-2025-8088.
Commoditization of Exploit Development
The same threat actor has also marketed multiple high-value exploits last year, including alleged zero-days for Microsoft Office sandbox escape, corporate VPN RCE, Windows local privilege escalation, and bypasses for security solutions (EDR, antivirus). Prices ranged between $80,000 and $300,000.
- Microsoft Office sandbox escape
- Corporate VPN RCE
- Windows local privilege escalation
- Bypasses for security solutions (EDR, antivirus)
Google comments that this reflects the commoditization of exploit development, reducing friction and complexity for attackers and enabling rapid targeting of unpatched systems.
Implications for Security Teams
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
Further Research
Discover how phishing kits are sold and deployed. Download the full research report.