A critical flaw in the Windows version of WinRAR is being exploited to install malware that runs automatically at startup. Users are urged to update to version 7.13 immediately, as the software does not update itself.
Tracked as CVE-2025-8088, the vulnerability allows malicious RAR files to place content in protected system folders, including Windows startup locations. Once there, the malware can steal data, install further payloads and maintain persistent access.
ESET researchers linked the attacks to the RomCom hacking group, a Russian-speaking operation known for espionage and ransomware campaigns. The flaw has been used in spear-phishing attacks where victims opened infected archives sent via email.
WinRAR's July update fixes the cybersecurity issue by blocking extractions outside user-specified folders. Security experts recommend caution with email attachments, antivirus scanning of archives and regular checks of startup folders for suspicious files.
