Wednesday, June 3, 2026
Latest:
News

WinRAR zero day lets hackers plant startup malware, update to 7.13 now

HackAcademy

A newly disclosed flaw in WinRAR, tracked as CVE-2025-8088, is being actively exploited by the Russia linked group RomCom to drop backdoor malware on Windows PCs, security researchers say. The vulnerability is a path traversal bug that lets a malicious archive write files outside the intended extraction folder, which attackers use to place payloads that run on the next login.

ESET, which discovered the attacks, says the booby trapped RAR files were sent in spearphishing emails dressed up as job applications. When opened, the archive deploys a malicious DLL to a temporary directory and plants a Windows shortcut file in the Startup folder to gain persistence. Targets included companies in Europe and Canada in finance, manufacturing, defence and logistics.

WinRAR has released version 7.13, which fixes the issue. Previous Windows builds of WinRAR, RAR, UnRAR and UnRAR.dll are vulnerable. WinRAR does not auto update, so users must download and install the new version manually. Unix builds and the Android app are not affected.

Researchers and trade press note that attackers can abuse the bug to drop files into Windows autorun locations, including the user and system Startup folders. That allows the malware to execute automatically after a reboot. The same campaign has used RomCom backdoors such as SnipBot, RustyClaw and the Mythic agent.

The disclosure follows another WinRAR path traversal flaw reported in June, CVE-2025-6218, which highlights ongoing risks from archive path handling. Keeping archive tools patched is essential, since exploit chains often begin with a single opened attachment.

What you should do

  • Update WinRAR to 7.13 or later. Open WinRAR, select Help, then About to confirm the version. Manual download is required.

  • Treat unsolicited RAR attachments with caution, especially job application themes.

  • If you opened a suspicious archive, change passwords and review the Startup folders at
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp. Remove unknown shortcuts or executables.

  • Use endpoint protection that flags suspicious file writes to autorun locations. Keep operating systems and browsers up to date.

ESET says the investigation is ongoing, and urges organisations to audit endpoints for vulnerable WinRAR versions and signs of unauthorised startup entries tied to recent RAR extractions.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *