Google cyber experts have reported that several hackers, including those supported by state agencies, are exploiting a critical vulnerability in RARLAB’s WinRAR to gain access to users' files.
Google cyber experts have reported that several hackers, including those supported by state agencies, are exploiting a critical vulnerability in RARLAB’s WinRAR to gain access to users' files.
«Discovered and patched in July 2025, the vulnerability continues to be exploited in various operations by attackers linked to Russia and China, as well as attackers with financial motives», said experts from the Google Threat Intelligence Group (GTIG).
Hacker News reports that this path traversal vulnerability allows files to be placed in the Windows startup folder. This flaw was fixed in WinRAR version 7.13, released on July 30, 2025. However, in unpatched versions, the vulnerability allows hackers to execute arbitrary code by creating malicious archive files.
ESET, which discovered and reported this security flaw, said it had observed a dual financial and espionage group known as RomCom (also known as CIGAR or UNC4895) exploiting this vulnerability as early as July 18, 2025.
It is noted that Russian hackers from Sandworm used this vulnerability to «place a decoy file with a Ukrainian name» and a malicious LNK file that attempts to download additional files. And Russians from Gamaredon carried out attacks on Ukrainian government institutions using malicious RAR archives containing HTML Application (HTA) files.
Turla attackers are also mentioned as having exploited this vulnerability to infect computers with the STOCKSTAY malware. They used «deception» related to Ukraine’s military activities and drone operations.
