Security researchers at Google are warning that a long-known vulnerability in the popular file compression tool WinRAR is now being actively exploited in targeted cyberattacks. The flaw, tracked as CVE-2025-8088, allows malicious files to be written to a system when a compromised archive is opened using older versions of the software. Although the issue was patched in July 2025, many users are still running outdated releases, leaving their systems exposed.
According to Google’s Threat Intelligence Group, multiple hacking groups have weaponized the vulnerability. Four of the groups are reportedly targeting Ukrainian military and civilian systems, while a separate group based in China is using the exploit to distribute remote access trojans. The attacks are not limited to state-backed operations, however, as financially motivated campaigns have also been observed in regions such as Brazil, Latin America, and Indonesia.
Researchers say malware packages built around the WinRAR flaw are being sold on underground markets for prices ranging from $80,000 to $300,000, advertising compatibility with Windows, Microsoft Office, VPN software, and antivirus tools. Google has shared technical data to help defenders detect known threats linked to the exploit.
Despite the scale of the attacks, the most effective protection remains simple: updating WinRAR to the latest version. The company notes that modern versions of Windows can now natively unpack many archive formats, reducing reliance on third-party tools and lowering the risk from outdated software.