WinRAR Can Still Drop Malware Into Your Startup Folder a Year After the Patch

You unzipped a file with WinRAR, the way you always do. Nothing on screen looked wrong. The next morning you logged in and malware was already running, and the only thing you did was open an archive someone emailed you.

In July 2025, ESET researchers spotted a file called msedge.dll sitting inside a RAR archive, in a folder path that made no sense. That odd path turned out to be a brand new flaw in WinRAR, and someone was already using it in attacks while it was still unknown. That was last summer, and it has not stopped since.

The flaw is now tracked as CVE-2025-8088. It only hits WinRAR on Windows, version 7.12 and everything older. Linux, Unix and Android builds are fine. WinRAR claims more than 500 million installs.

What makes it news again now is that the patch has been out since July 2025, and attackers are still landing this on machines today. Researchers found them building fresh versions as late as April 2026, and were still reporting active exploitation this month. The reason comes down to how WinRAR updates, or rather how it does not. The program does not check for updates or warn you when one is out, and it has no built-in updater to roll the fix out on its own. So the patch exists, but it only lands if someone downloads it by hand and installs it over the old version, and plenty of people never do. That old, vulnerable version just keeps sitting there. Back in August 2025, the US cyber agency CISA flagged it as actively exploited and set a hard patch deadline for government agencies, which tells you it is being used in attacks right now, not just a theoretical risk.

Here is how the attack lands on a computer.

It starts with an email. Usually a fake job application or a CV, with a RAR file attached. The archive looks like it holds one harmless file, normally a PDF. That PDF is the only thing you are meant to notice. You open the archive, you see the document, nothing seems off.

What you cannot see is the rest of the archive. Tucked inside are Alternate Data Streams, or ADS. This is a normal NTFS feature that lets you attach extra data to a file without it showing up in a regular folder listing. The attackers hid the payload in those streams: a DLL, and a Windows shortcut with a .lnk extension. From where you are sitting, those files do not show up at all.

The trick is in the name of the stream. Instead of a normal filename, the stream is named as a path full of ..\ ..\ ..\ sequences. A vulnerable WinRAR reads that name as a valid path and writes the content there, outside the folder you chose to extract to. That is the path traversal. WinRAR never checks whether the destination makes sense before it writes.

You can picture it like this:

1
2

What you see in the archive:    Eli_Rosenfeld_CV.pdf
Hidden stream attached:         ..\..\..\Start Menu\Programs\Startup\Updater.lnk

So the file ends up exactly where the attacker wants it. In practice two things land at once:

• → a DLL or EXE dropped into a temp folder like %TEMP% or %LOCALAPPDATA%
• → a shortcut dropped into your Windows startup folder:

1

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Extracting the archive does not run anything yet. But anything sitting in your startup folder runs automatically the next time you log in. So you shut down, you go to sleep, you log in the next morning, and at that moment the shortcut fires. It launches a hidden loader that pulls the rest of the malware into memory. In the RomCom campaign that meant backdoors like a SnipBot variant, a Rust downloader called RustyClaw, and a Mythic agent.

What gets people is how little they did. You double-clicked a PDF. You did not run a script, click allow on anything, or approve an install. Opening the archive was all it took.

There is more to it. The attackers did not just hide the payload, they made it hard to notice. They packed the archive with extra ADS streams full of junk data and deliberately broken paths. When you extract, WinRAR shows a stack of error messages about those broken paths. The one line that counts, the malicious DLL and the startup shortcut, sits among all those errors. To even spot it you have to scroll down through the error window, and few people ever do. Those error messages were added on purpose, to keep the dangerous line from standing out.

The malware also checks whether it is being analyzed. In one version it only runs if it finds at least 69 recently opened documents on the machine. That is a quick way to tell a person’s everyday computer, full of recent files, from a fresh analysis sandbox that has none. Newer loaders do the same with built-in sleep delays and thousands of junk functions, meant to slow down anyone analyzing them.

And this did not stay with one group. A seller known as zeroplayer was offering the WinRAR exploit on underground markets, reportedly advertised for around 80,000 dollars. And it was just one item zeroplayer had listed. The same account also advertised a Windows privilege escalation for 100,000 dollars, a tool to disable antivirus and EDR for another 80,000, and a Microsoft Office exploit for 300,000. This is an ongoing exploit business, and it is why the WinRAR flaw spread so fast: one person builds it, sells it, and a range of buyers start using it. RomCom went first, but within days a second group that researchers at BI.ZONE call Paper Werewolf picked it up too. Google later tracked the same flaw across more groups, including APT44, Turla, and a China-linked actor.

One caveat on attribution: how the malware works is well documented, but who is running it is harder to pin down, since exploits like this get bought and resold.

This is also not the first time a quiet archive has caught WinRAR users. In 2019 it was a flaw in old ACE archive handling. In 2023 it was a ZIP flaw that ran hidden malware when you opened a file from inside the archive. A month before this one, in June 2025, there was already a related path traversal bug. The pattern keeps coming back: a tool you trust to unpack files, and a path that ends up somewhere you did not choose.

The fix is easy and free.

WinRAR patched this in version 7.13, released on 30 July 2025. RARLAB shipped a fix the same day ESET reported it, which is fast for any vendor. So the only task is making sure you are on a safe version.

To check your version, open WinRAR and go to:

• → Help, then About WinRAR
• → If it reads 7.13 or higher, you are patched
• → If it reads 7.12 or lower, you are exposed, so update now from the official win-rar.com site

A few habits that protect you:

• → Do not extract RAR files from senders you do not know, especially CVs and job applications you were not expecting
• → After extracting any archive, glance at your startup folder and your temp folder for new .lnk, .dll or .exe files you did not put there
• → If you have to open something suspicious, do it inside a virtual machine, not on your main system
• → If any other software on your machine bundles UnRAR.dll, update that copy too
• → If you barely use WinRAR, Windows 11 can open RAR files on its own now, so you can uninstall it and stop worrying about updating it

This attack runs on things I teach hands-on in my ethical hacking course: how path traversal makes a file land where it should not, how attackers abuse trusted Windows tools instead of dropping obvious malware, and how malware keeps running after a reboot. → Join my complete ethical hacking course

Hacking is not a hobby but a way of life.

Sources:

ESET | Google Threat Intelligence | NVD