A WinRAR exploit that has been discovered and patched in July 2025 remains widely used by threat actors — many of them government-backed — where a malicious archive delivers its hidden payload to a critical directory like the Windows Startup folder. According to the Google Threat Intelligence Group (GTIG), attackers take advantage of the CVE-2025-8088 critical vulnerability, which has since been addressed with the latest release of WinRAR, version 7.13. However, it seems that users are slow to update their software, as GTIG says that it is still a popular vector used by attackers linked to both China and Russia.
CVE-2025-8088 describes a path traversal vulnerability in earlier versions of WinRAR, in which malicious actors create archives that have a hidden payload. When the victim opens it, the payload is then surreptitiously delivered to a critical path. The Windows Startup folder is often one of the default destinations, ensuring that the delivered malware is executed the next time the user opens or restarts their computer.
Despite the ubiquity of fast internet and cloud storage, archiving apps like WinRAR, WinZip, and 7-Zip remain popular among some users. That’s because they allow you to package multiple files and folders into one clean file and allow for encryption and password protection. Aside from that, they also compress the file size, reducing the amount of data needed to download them and helping save on data costs.
According to GITG, Ukrainian military units and government entities are often targeted by this exploit, mostly for espionage. However, commercial entities are also prone to this attack, with victims recorded in Indonesia, LATAM, and Brazil. So, if you have WinRAR installed on your system, it’s best that you upgrade it to the latest version to avoid becoming victimized through this attack vector.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
