zeroplayer

Also known aszeroplayer

“zeroplayer” is described as an upstream exploit supplier/broker observed in 2025 advertising and selling high-end, expensive exploits to multiple buyers, contributing to the broad adoption/commoditization of exploitation across both state-linked and criminal ecosystems. In July 2025, “zeroplayer” advertised a WinRAR exploit shortly before widespread exploitation of CVE-2025-8088 (a WinRAR path traversal/arbitrary file write issue abused via Windows Alternate Data Streams and directory traversal to drop payloads—often into Windows Startup folders for persistence). Additional advertisements attributed to “zeroplayer” include: an unspecified zero-day to disable antivirus/EDR for $80,000 (early Sept 2025); a remote code execution zero-day for an unnamed popular corporate VPN provider (late Sept 2025); a Windows local privilege escalation zero-day for $100,000 (mid-Oct 2025); and a claimed Microsoft Office sandbox escape RCE zero-day offered for $300,000 (Nov 2025). No specific victimology, malware families, or direct operational campaigns are attributed to “zeroplayer” in the provided content beyond their role as an exploit seller.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

thecyberexpress com vulnerabilitiesNews

Jan 29, 2026

Nation-State Hackers Weaponize Patched WinRAR Flaw

Exploit broker/marketplace actor advertising and selling multiple exploits/0-days (including WinRAR CVE-2025-8088 exploit) enabling rapid adoption by both financially motivated and state-aligned operators.

security online infoNews

Jan 29, 2026

The "Zeroplayer" Arsenal: WinRAR Flaw CVE-2025-8088 Weaponized by Spies

Upstream exploit supplier/merchant associated with commoditizing high-end exploits (including CVE-2025-8088 usage/supply) and selling advanced capabilities (e.g., Office sandbox escape, Windows LPE, AV/EDR bypass) to other actors.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.