A security flaw in WinRAR—patched over a year ago—has become a persistent tool for state-sponsored hackers, with Russian and Chinese-linked actors continuing to exploit it in real-world attacks. The vulnerability, identified as CVE-2025-8088, was first disclosed in July 2023 and addressed in WinRAR version 7.13, yet remains a favorite among threat actors due to its effectiveness.
The attack method is straightforward yet dangerous. Malicious files are hidden within the Alternate Data Streams (ADS) of decoy archives. When a victim extracts the archive, the hidden payload is written to critical system locations, such as the Windows Startup folder, and executes automatically upon reboot. This bypasses traditional detection methods, allowing attackers to deploy malware like POISONIVY or gain persistent access to compromised systems.
Google’s threat intelligence team has observed multiple campaigns leveraging this flaw. Russian-aligned groups have targeted Ukrainian military networks, while Chinese-linked operators have used it to deliver POISONIVY malware—a custom backdoor—via malicious batch files dropped into the Startup folder. Additionally, financially motivated hackers have exploited the vulnerability to compromise hospitality and travel organizations through phishing emails disguised as hotel booking confirmations.
The persistence of this exploit highlights a broader cybersecurity challenge: n-day vulnerabilities—flaws with known fixes that continue to be exploited because users fail to apply patches. In this case, the solution is direct. WinRAR users should immediately update to version 7.13 or later. Until then, opening any WinRAR archive—even from trusted sources—poses a risk.
For those unable to update, disabling WinRAR entirely or using alternative archiving tools until a patch is applied is strongly advised. The threat is not theoretical; it is actively being used in targeted campaigns.
This is not the first time such a vulnerability has been weaponized long after a fix was available. The lesson remains the same: security updates are only effective if deployed promptly. With this WinRAR flaw, the window for exposure is now closed—but only for those who act.
