Security researchers at Trend Micro have caught Russian state-linked hackers exploiting a patched WinRAR vulnerability to plant file-stealing malware on victims’ computers. The group behind the attacks, known as Gamaredon, is primarily targeting Ukrainian organizations, but the underlying flaw — CVE-2025-8088 — affects anyone running an outdated copy of WinRAR worldwide. The bug lets a malicious archive write hidden files outside the folder you’re extracting to, which is then used to silently run malware in the background.
The malware delivered in these attacks, called GammaSteel, monitors your files in real time and forwards sensitive documents to the attackers. WinRAR patched this flaw in July 2025. If you installed WinRAR a while ago and haven’t updated it since, your computer could be at risk from any archive you open — not just ones tied to this particular campaign.
How to check if you’re affected
Affected versions include WinRAR 7.00 and earlier. To check your version, open WinRAR and look in the title bar or go to Help → About WinRAR. If your version is older than 7.01, download the latest version from win-rar.com and install it. If you don’t use WinRAR regularly, consider uninstalling it — Windows 11 and macOS can open .zip files natively, and 7-Zip is a free alternative that receives regular security updates.