WinRAR under attack by state-level hackers, according to Google

WinRAR, a tool for decompressing compressed files, is one of those pillars of daily PC use that somehow takes a back seat. I used to install it on all computer setups, like VLC and Irfanview. But according to a report from Google security researchers, a long-known vulnerability in WinRAR is being actively attacked by hackers allegedly aligned with Russia and China.

Google’s Threat Intelligence Group says the WinRAR CVE-2025-8088 vulnerability can be used to write malicious files to a system when opened by an older version of the software. The exploit was discovered last year and quickly patched in July 2025, but many older versions of WinRAR are still in use and still targeted. Google reports that four different hacker groups are working to target Ukrainian military and civilian systems, apparently in service of the ongoing Russian invasion. A fifth group, based in the People’s Republic of China, is attempting to use this vulnerability to distribute remote access Trojans.

The problem is large enough that domestic hackers aren’t the only ones exploiting it. Attacks by others have targeted conventional financial gains in Brazil and Latin America, Indonesia and elsewhere, researchers say. Software that uses this exploit is even sold commercially on the black market, with malware developers advertising packages between US$80,000 and US$300,000, attacking targets such as Windows, Microsoft Office, VPNs, and antivirus programs.

Google’s research team is sharing data that can help detect known threats exploiting this WinRAR flaw. But the best way to protect yourself is simply to update the software if you use it: the vulnerability has been patched for almost six months now. (WinRAR and other archive programs are also much less crucial now, as the proprietary RAR file format has become less popular and Windows can now natively unzip ZIP, 7-Zip, and RAR files.