Google has raised alarms about the exploitation of a serious security flaw in RARLAB WinRAR, identified as CVE-2025-8088. Discovered and patched in July 2025, this vulnerability has been actively targeted by various threat actors, including state-sponsored groups from Russia and China, as well as financially motivated hackers. The flaw allows attackers to execute arbitrary code by manipulating archive files that users open with vulnerable versions of WinRAR. The vulnerability has a CVSS score of 8.8, indicating its severity. Notable groups like RomCom and Sandworm have already leveraged this flaw for espionage and financial gain. RomCom, for instance, has used it to deploy SnipBot malware since mid-July 2025. Other Russian actors, such as Gamaredon and Turla, have targeted Ukrainian government agencies and military operations using cleverly disguised malicious files. Furthermore, a China-based actor has utilized the vulnerability to deliver Poison Ivy malware. The threat has expanded to financially motivated hackers who are deploying various Remote Access Trojans (RATs) and information stealers against commercial targets. The exploitation of CVE-2025-8088 reflects a growing underground market for these types of vulnerabilities. Suppliers like "zeroplayer" have offered WinRAR exploits for significant sums, making it easier for less technical threat actors to launch attacks. This commoditization of exploits raises concerns about the increasing accessibility of sophisticated hacking tools. Alongside this, another WinRAR vulnerability, CVE-2025-6218, is also being targeted by multiple threat groups, further emphasizing the ongoing risks associated with unaddressed n-day vulnerabilities.