WinRAR under attack by state-level hackers, according to Google

WinRAR, a tool for unpacking compressed files, is one of those pillars of everyday PC use that’s kind of faded into the background. I used to install it on every computer setup, like VLC and Irfanview. But according to a report from security researchers at Google, a long-known vulnerability in WinRAR is being actively attacked by hackers allegedly aligned with Russia and China.

Google’s Threat Intelligence Group says that WinRAR vulnerability CVE-2025-8088 can be used to write malicious files to a system when opened by an older version of the software. The exploit was discovered last year and patched quickly in July of 2025, but plenty of older versions of WinRAR are still in use, and still being targeted. Google reports that four different hacker groups are working to target Ukrainian military and civilian systems, ostensibly in service of Russia’s ongoing invasion. A fifth group, based in the People’s Republic of China, is attempting to use the vulnerability to deliver remote access trojans.

The issue is broad enough that state-level hackers aren’t the only ones exploiting it. According to the researchers, attacks from others have been directed at conventional financial gain in Brazil and broader Latin America, Indonesia, and elsewhere. Software that uses this exploit is even being sold commercially on the black market, with malware developers advertising packages from between $80,000 and $300,000 USD, attacking targets like Windows, Microsoft Office, VPNs, and antivirus programs.

Google’s research team is sharing data that can help with the detection of known threats exploiting this WinRAR flaw. But the best way to protect yourself is simply to update the software if you’re using it — the vulnerability has been patched for almost six months now. (WinRAR and other archive programs are also a lot less crucial now, as the proprietary RAR file format has become less popular, and Windows can now natively unpack ZIP, 7-Zip, and RAR files.