Cybercriminals Keep Picking the Lock: WinRAR Flaw Powers Global Malware Surge
Subtitle: Despite an official fix, hackers-and even governments-are exploiting an old WinRAR vulnerability to launch new attacks worldwide.
It’s the digital equivalent of leaving a window open after the locksmith leaves: a patched but widespread WinRAR vulnerability is still being used by hackers to break into computers around the globe. Even as security experts sound the alarm, cybercriminals-ranging from notorious Russian and Chinese groups to everyday scammers-are exploiting this flaw to quietly deliver malware, steal secrets, and rake in profits.
Inside the Exploit: How a Patched Bug Became a Criminal Goldmine
WinRAR, a staple file compression tool on millions of PCs, became an unlikely vector for cyberattacks after researchers discovered a “path traversal” vulnerability in early 2025. The flaw-tagged CVE-2025-8088-lets attackers disguise malware as harmless files. When unsuspecting users open a booby-trapped archive, a virus sneaks into the Windows Startup folder, ensuring it runs every time the computer is switched on. The result? Hackers gain persistent, often invisible control over the system.
Though WinRAR’s developers released a patch (version 7.13) in July 2025, the reality is stark: many users, especially in businesses and government agencies, haven’t updated. This lag has created a playground for cybercriminals and even some nation-state actors.
Who’s Exploiting the Flaw?
Google’s Threat Intelligence Group (GTIG) and other researchers have tracked a surge in attacks since the bug’s disclosure. Russian-linked groups like APT44 (“Sandworm”) and Turla targeted Ukrainian military and government networks, using drone-themed lures to deploy sophisticated malware like STOCKSTAY and HTA downloaders. Meanwhile, a Chinese group used the exploit to plant POISONIVY, a notorious spying tool.
Not to be outdone, the RomCom (UNC4895) gang is double-dipping-chasing both political secrets and financial gain. They’ve distributed Snipbot variants, info-stealers, and even fake Chrome extensions to swipe banking credentials, especially in Brazil. In Latin America, the travel sector was duped with fake hotel emails, while in Indonesia, Dropbox links delivered remote-access backdoors controlled via Telegram.
The Malware Market: Hacking for Hire
What’s fueling this epidemic? A thriving underground marketplace. Sellers like “zeroplayer” peddle WinRAR exploits and other digital skeleton keys-offering everything from Microsoft Office break-ins ($300,000) to antivirus “kill switches” ($80,000). This democratizes cybercrime, letting low-level crooks launch attacks once reserved for elite hackers.
The bottom line: As long as users delay updates, this patched bug remains a loaded weapon. Experts urge everyone-individuals and organizations alike-to update WinRAR immediately. In the cat-and-mouse game of cybercrime, complacency is the biggest risk.
Looking Forward
WinRAR’s lingering vulnerability is a cautionary tale about the dangers of ignoring software updates. In today’s threat landscape, even a single unpatched program can open the door to global cybercrime. Vigilance-and timely patching-are our best defense.
WIKICROOK
- Path Traversal: Path Traversal is a security flaw where attackers manipulate file paths to access files or data outside a system's intended boundaries.
- Startup Folder: The Startup Folder is a Windows directory where programs placed inside automatically run every time the computer starts or a user logs in.
- Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
- Exploit: An exploit is a technique or software that takes advantage of a vulnerability in a system to gain unauthorized access, control, or information.
- Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.




