Google warns of hacking by hackers from Russia and China using WinRAR

Google has warned that a known critical vulnerability, CVE-2025-8088, in the popular WinRAR archiver for Windows is still being actively exploited by hackers linked to Russia and China. The vulnerability was discovered in July last year and added to the National Vulnerability Database in August.

WinRAR fixed the problem in the 7.13 update released on July 30, but users of older versions remain at risk. The exploit works via Alternate Data Stream (ADS): a malicious file is hidden in a fake file inside the archive. After unpacking, it gets into critical system folders, including Windows Startup, and automatically runs when the system reboots.

Google notes that among the attackers are Russian hacking groups attacking the Ukrainian army, Chinese groups distributing the POISONIVY malware via BAT files, as well as cybercriminals focused on financial gain. The latter, according to the company, are actively targeting the hotel and tourism sectors using phishing emails with infected archives.

Experts emphasize that the situation with CVE-2025-8088 is a prime example of so-called n-day vulnerabilities – when patches are already available, but a significant part of users do not install the update, remaining vulnerable to attacks.

Google recommends that all users immediately update WinRAR to version 7.13 and avoid opening archives in older versions of the program to minimize the risk of infection.