Beyond the Inbox: How a Cyber-Espionage Group Is Exploiting Two WinRAR Vulnerabilities

BI.ZONE Threat Intelligence uncovered a series of targeted cyber-espionage campaigns conducted by the Paper Werewolf (GOFFEE) cluster, which weaponized both a known WinRAR vulnerability (CVE-2025-6218) and a previously unknown zero-day flaw. These attacks highlight the persistent exploitation of widely used software tools in phishing campaigns and underscore the urgent need for timely patching and proactive defense.

According to the report, “cyber spies continue to demonstrate strong capabilities in bypassing defenses, enhancing their toolkits to successfully exploit vulnerabilities, particularly zero days.”

In early July, Paper Werewolf launched phishing campaigns impersonating a Russian R&D institute, distributing emails from a compromised supplier account. The messages carried malicious RAR archives, including minprom_04072025.rar, which abused CVE-2025-6218.

BI.ZONE explains: “This WinRAR vulnerability allows a malicious archive to extract and save files outside the intended target directory—including the startup folder—enabling code execution during the login process.”

When victims extracted the archive, executables such as xpsrchvw74.exe—a modified XPS Viewer containing reverse shellcode—were dropped into the Windows startup folder. The payload then connected to a command-and-control (C2) server at 89.110.88[.]155:8090, granting attackers remote access.

Later in July, BI.ZONE identified attacks leveraging an entirely new vulnerability affecting WinRAR up to version 7.12, patched in WinRAR 7.13.

The flaw, as described in the report, “stems from the archiver’s ability to include files with alternative data streams (ADS) which can contain arbitrary payloads. When an archive is extracted or a file is opened directly from within it, the data from ADS is written to arbitrary system directories, enabling a directory traversal attack.”

One such campaign delivered a file named Запрос_Минпромторг_22.07.rar, which dropped malicious executables disguised as requests from the Russian Ministry of Industry and Trade. These were tied to WinRunApp.exe, a .NET loader that repeatedly attempted to fetch payloads from a C2 infrastructure until a valid response was received.

Intriguingly, BI.ZONE also uncovered an underground forum post advertising a WinRAR zero-day exploit for $80,000, raising the possibility that Paper Werewolf may have purchased and customized this exploit. The report noted, “while the post did not mention CVE-2025-6218, it is possible that the exploit offered for sale was related to the vulnerability we identified—and that Paper Werewolf may have purchased and adapted it for their attacks.”

By the end of July and early August, BI.ZONE detected further phishing campaigns using malicious RAR files such as DON_AVIA_TRANS_RU.rar and DON_AVIA_TRANS_UZ.rar. These archives embedded decoy PDFs and ADS-based payloads, once again leading to the deployment of .NET loaders designed to fetch in-memory payloads from remote servers.

Despite their sophistication, BI.ZONE emphasized that attackers continue to rely on detectable TTPs (tactics, techniques, and procedures). As the researchers put it, “malware delivered through archive files is more likely to evade email security filters as such attachments are common in legitimate correspondence… therefore, 24/7 incident monitoring remains essential for effective corporate defense.”

Related Posts:

• Warning: Fake WinRar Websites Distributing Malware
• Stealthy Attacks: Silent Werewolf Deploys Custom Loaders in Espionage Operations
• Paper Werewolf: From Espionage to Destruction – A New Threat Emerges
• Google TAG Alerts on Exploitation of WinRAR Vulnerability by State-Backed Hackers
• Squid Werewolf APT Masquerades as Recruiters in Espionage Campaign Targeting Key Employees