- WinRAR bug CVE-2025-8088 exploited by criminal and state-sponsored groups
- Attackers use ADS feature to deploy malware via malicious files
- Users are urged to upgrade to WinRAR 7.13 or later for added protection
The iconic Windows archive program WinRAR contains a high-severity vulnerability that allows threat actors to execute arbitrary code on compromised endpoints, and security researchers now say the bug is being exploited by numerous hacking collectives, both state-sponsored and otherwise.
The bug in question is described as a path traversal bug that affects versions 7.12 and earlier. It is tracked as CVE-2025-8088 and was assigned a severity score of 8.4/10 (high).
To protect your installations and prevent hacker incursions, security professionals recommend updating the program to version 7.13 or later.
Abused like a day zero
Now, beepcomputer Several security teams are said to have warned of numerous hacker collectives using this flaw in their attacks.
Among them is RomCom, a group aligned with Russia, which used it to deploy NESTPACKER against Ukrainian military units. Other notable mentions include APT44 and Turla (also used against the Ukrainian military), Carpathian, and multiple Chinese state-sponsored actors who were allegedly using it to launch the POISONIVY malware.
Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that primarily tracks state-sponsored attackers, said the first signs of abuse were observed in mid-July 2025. Since then, hackers were using the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices.
“While the user typically sees a decoy document, such as a PDF, within the file, there are also malicious ADS entries, some containing a hidden payload while others are dummy data,” Google said.
When the victim opens the file, the program extracts the ADS payload by traversing the directory, it was explained.
In addition to nation-states, financially motivated groups were also taking advantage of this bug, using it to eliminate information stealers like XWorm or AsyncRAT.
WinRAR does not allow automatic updates, but it is not necessary to uninstall the program before running the new version. It will simply be installed over the existing one.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
