Paper Werewolf targets Russia with WinRAR zero-day vulnerability

Aug. 20, 2025, 8:51 p.m.

Description

A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, utilizing advanced techniques to bypass defenses and enhance toolkits. The malware, delivered via compromised RAR files, created malicious executables in startup folders and connected to C2 servers. The threat actor demonstrated strong capabilities in exploiting zero-day vulnerabilities and modifying existing tools for their purposes. Multiple attack iterations were observed, with slight variations in payload delivery and execution methods.

External References

https://bi-zone.medium.com/paper-werewolf-targets-russia-with-winrar-zero-day-vulnerability-0cfdabac8c84?source=rss-3882bedad280------2
https://otx.alienvault.com/pulse/68a5c0b2d0be1fec9ae696fc
Tags
phishing
zero-day
shellcode
c2
winrar
directory traversal
2025-08-20
rar
CVE-2025-6218
xpsrchvw74.exe
winrunapp.exe

Date

  • Created: Aug. 20, 2025, 12:33 p.m.
  • Published: Aug. 20, 2025, 12:33 p.m.
  • Modified: Aug. 20, 2025, 8:51 p.m.

Attack Patterns

  • xpsrchvw74.exe
  • WinRunApp.exe
  • Paper Werewolf

Additional Informations

  • Defense
  • Government
  • Russian Federation