Threat Landscape
← Back to Blog
Threat Intelligence

Abuse of CVE-2025-8088 Enables Stealthy Loader Deployment in Targeted Intrusions

Recent intrusion activity shows sustained exploitation of CVE-2025-8088 to deliver custom loaders and remote access tooling. The campaigns emphasize stealth, regional targeting, and low-noise persistence mechanisms.

TLT
Threat Landscape Team
2026-02-057 min read

Overview

Multiple intrusion sets have been observed actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to establish initial access and deploy modular malware frameworks. The activity is characterized by:

  • Use of crafted RAR archives as the primary infection vector
  • Abuse of Alternate Data Streams (ADS) for payload concealment
  • Deployment of a custom first-stage loader (“Amaranth Loader”)
  • Follow-on tooling including Havoc and a Telegram-based RAT
  • Region-restricted command-and-control infrastructure

The campaigns are selective and operationally restrained, suggesting a focus on long-term access rather than monetization.

Vulnerability Details: CVE-2025-8088

  • Affected software: WinRAR prior to version 7.13
  • Vulnerability class: Path traversal
  • Impact: Arbitrary file write leading to code execution
  • Attack mechanism:
    • Malicious RAR archive contains files with crafted paths
    • Upon extraction, files are written outside the intended directory
    • Payloads are dropped into Startup folders or locations referenced by LNK files

Although a patch is available, exploitation continues against unpatched environments.

Initial Access and Delivery

Observed delivery mechanisms include:

  • Spear-phishing emails with RAR attachments
  • Archive contents themed around diplomatic, legal, or policy-related topics
  • Decoy documents displayed to the user while malicious files are written via ADS

Typical archive structure:

  • Document.pdf (decoy)
  • Document.pdf:payload.dll (ADS-hidden payload)
  • launcher.lnk or run.cmd to trigger execution

Execution and Persistence

Once extracted, execution chains commonly involve:

  • LNK files invoking cmd.exe or rundll32.exe
  • DLL side-loading via a legitimate signed executable
  • Persistence achieved through:
    • Startup folder placement
    • Registry Run keys
    • Scheduled tasks in limited cases

The initial loader runs with user-level privileges and avoids noisy escalation attempts.

Malware Tooling

Amaranth Loader

  • Custom first-stage loader
  • Encrypted configuration embedded in the binary
  • Resolves C2 endpoints at runtime
  • Loads next-stage payloads entirely in memory

Havoc Framework

  • Used as a post-exploitation C2 platform
  • Supports file operations, process injection, and credential access
  • HTTP(S)-based communications with configurable jitter

TGAmaranth RAT

  • Lightweight RAT controlled via Telegram bots
  • Supports command execution, file exfiltration, and system profiling
  • Designed for environments with restrictive egress controls

Command-and-Control Infrastructure

Infrastructure characteristics include:

  • HTTPS-based C2 endpoints
  • Fronting via commercial CDN providers
  • Geofencing rules limiting responses to specific IP ranges
  • Short-lived domains with minimal DNS history

This approach reduces exposure to automated scanning and sandbox detonation.

MITRE ATT&CK Mapping

TacticTechniqueIDNotes
Initial AccessPhishing AttachmentT1566.001Malicious RAR archives
ExecutionCommand and Scripting InterpreterT1059.003CMD via LNK files
ExecutionDLL Side-LoadingT1574.002Legitimate executable abuse
PersistenceStartup FolderT1547.001Payload auto-launch
PersistenceRegistry Run KeysT1547.001User-level persistence
Defense EvasionObfuscated Files or InformationT1027Encrypted loader configs
Command and ControlWeb ProtocolsT1071.001HTTPS-based C2
Command and ControlProxyT1090CDN fronting

Indicators of Compromise

File Artifacts

  • RAR archives containing ADS entries
  • LNK files referencing %APPDATA% or %TEMP%
  • DLLs without version metadata dropped outside archive directory

Registry

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\*
  • Values pointing to user-writable directories

Network

  • HTTPS traffic to low-reputation domains behind CDNs
  • Beaconing intervals with consistent jitter
  • TLS sessions without SNI or with generic user agents

Structured intelligence note:
Machine-readable STIX 2.1 bundles, including file hashes, domains, IP addresses, ATT&CK mappings, and observed relationships, are available via threatlandscape.io and compatible intelligence-sharing platforms.

Detection and Monitoring Recommendations

  • Alert on WinRAR extraction events writing outside the target directory
  • Monitor for creation of files via Alternate Data Streams
  • Detect LNK execution spawning script interpreters
  • Flag unsigned DLLs loaded by signed binaries from user directories
  • Inspect outbound HTTPS traffic to newly registered domains

Conclusion

The continued exploitation of CVE-2025-8088 highlights how client-side vulnerabilities remain effective entry points for disciplined intrusion activity. The combination of archive-based exploitation, custom loaders, and evasive infrastructure reinforces the need for proactive monitoring beyond patch management.

Ready to Transform Your Threat Intelligence?

See how Threat Landscape can reduce alert fatigue and improve your security operations

ContactMore Articles