Russian and Chinese hackers target WinRAR

Hackers continue to exploit a previously patched vulnerability in WinRAR to infiltrate systems. Both state-sponsored and financially motivated attackers are widely using the vulnerability.

A serious security vulnerability in WinRAR, designated as CVE-2025-8088, is being actively exploited by various cybercriminals and state-sponsored actors, despite the issue being patched since July. Google’s Threat Intelligence team reports that Russian hackers have been targeting the WinRAR vulnerability since the summer.

The vulnerability allows attackers to place files in the Windows startup folder, allowing them to maintain access to the system. Vulnerabilities in WinRAR are dangerous because they can bypass the built-in security in Windows.

Access via hidden file paths

The vulnerability allows attackers to write files to unwanted locations via alternate data streams. These are often hidden in an archive file containing an innocent document, while in the background, a malicious file is placed in the folder that automatically starts programs when Windows boots. This method requires no user interaction beyond opening the RAR file in a vulnerable version of WinRAR.

RARLAB, the developer of WinRAR, released an update (version 7.13) on July 30, 2025, that fixes the issue. However, Google’s observations show that many systems are still vulnerable due to slow update practices: unfortunately, a very stubborn phenomenon in the IT world. IT administrators are advised to roll out updates immediately and actively monitor systems for the described attack methods.