Attacks on WinRAR vulnerability continue
Anyone who has WinRAR on their computer should ensure they install the latest version. Google warns of active attacks.
(Image: heise online / dmk)
A security vulnerability in WinRAR has been known since August of last year and was quickly attacked by criminals. Although an update to close the vulnerability is available, Google's Threat Intelligence Group continues to observe attacks on it to this day -- by multiple perpetrator groups.
"Government-backed malicious actors with ties to Russia and China, as well as financially motivated groups, continue to exploit this n-day vulnerability for various operations," explains Google in a recent analysis. "The method of exploitation, a path traversal vulnerability that allows files to be placed in the Windows startup folder and thus achieve persistence, highlights a gap in fundamental application security and user awareness."
Exploitation of old WinRAR vulnerability
The security vulnerability (CVE-2025-8088, CVSS 8.4, risk "high"), which was closed in WinRAR 7.13 from the end of July 2025, is often exploited by attackers using manipulated archives that hide malicious payloads in Alternative Data Streams (ADS), as Google's IT researchers explain. Victims typically see a PDF file displayed in the archive. This contains malicious ADS entries, some of which contain malware and others simply dummy data. The malware is written to a critical directory via path traversal; attackers often target the Windows startup folder for persistence. They use the ADS function together with path traversal; as an example, Google cites the combined name of "innocuous.pdf:malicious.lnk" and the path "../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.lnk". When the archive is opened, WinRAR extracts the ADS content to the specified path. The malware is then automatically started the next time the user logs in.
Over time, several cyber gangs have attacked the WinRAR vulnerability, and this continues to this day.
(Image: Google)
Several state actors have misused the vulnerability for espionage activities. Google attributes some groups to the Russian environment, which have attacked Ukrainian military and government institutions with it. Others, such as UNC4895, also known as RomCom, pursue financial and espionage goals, also targeting Ukrainian military units. Google locates APT44, nicknamed FrozenBarents, in Russia; TEMP.Armageddon (Carpathian) targets Ukrainian government institutions. Turla (Summit) lured victims with topics related to Ukrainian military activities and drone deployments.
Videos by heise
However, Google has also observed a China-affiliated group that distributed the PoisonIvy malware through .bat files via the vulnerability, which in turn loaded a Trojan dropper. Purely financially oriented cyber gangs are joining them. One targeted institutions in Indonesia. Another targeted the travel and tourism industry, particularly in Latin America. Another group has targeted Brazilians and delivered malicious Chrome extensions that have stolen login credentials from two banks.
Groups that create and sell exploits on demand (Malware as a Service), such as a gang called "zeroplayer," have also jumped on the bandwagon. However, they usually have several exploits in their arsenal. According to Google, such offerings extend the period of active attacks on vulnerabilities.
Anyone using WinRAR should update the software to the latest version. Google lists a long list of Indicators of Compromise (IOCs) in the analysis, which interested parties can use to check if they have possibly become a victim of an attack.
(dmk)
