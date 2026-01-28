WinRAR flaw CVE-2025-8088 exploited by state-sponsored and criminal groups

Attackers use ADS feature to deploy malware via malicious archives

Users urged to update to WinRAR 7.13 or newer for protection

Iconic Windows archiving program WinRAR contains a high-severity vulnerability that allows threat actors to execute arbitrary code on compromised endpoints - and security researchers are now saying the bug is being exploited by numerous hacking collectives, both state-sponsored and otherwise.

The bug in question is described as a path traversal flaw, affecting versions 7.12 and older. It is tracked as CVE-2025-8088, and was given a severity score of 8.4/10 (high).

In order to secure your premises and prevent hacker incursions, security pros advise updating the program to version 7.13, or newer.

Abused as a zero-day

Now, BleepingComputer is saying that multiple security outfits were warning about numerous hacking collectives using this flaw in their attacks.

Among them is RomCom, a Russia-aligned group, who used it to deploy NESTPACKER against Ukrainian military units. Other notable mentions include APT44 and Turla (also used against the Ukrainian military), Carpathian, and multiple Chinese state-sponsored actors who were allegedly using it to drop the POISONIVY malware.

Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that mostly tracks state-sponsored attackers, said the earliest signs of abuse were seen in mid-July 2025. Since then, hackers were using the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices.

"While the user typically views a decoy document, such as a PDF, within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," Google said.

When the victim opens the archive, the program extracts the ADS payload using directory traversal, it was explained.

Besides nation-states, financially motivated groups were also leveraging this bug, using it to drop infostealers such as XWorm, or AsyncRAT.

WinRAR does not allow automatic updates, but you don’t need to uninstall the program before running the new version. It will just be installed over the existing one.

