In July 2025, cybersecurity experts identified a sophisticated cyberattack campaign orchestrated by the threat actor group known as Paper Werewolf, also referred to as GOFFEE. This group has been targeting Russian organizations by exploiting critical vulnerabilities in the widely used WinRAR archiving software. Their operations highlight advanced capabilities in leveraging both known and previously undiscovered security flaws to gain persistent access to victim systems.
Exploitation of WinRAR Vulnerabilities
Paper Werewolf has weaponized two specific vulnerabilities within WinRAR:
1. CVE-2025-6218: This vulnerability affects WinRAR versions up to and including 7.1. It enables directory traversal attacks, allowing malicious archives to extract files outside their intended directories, potentially leading to unauthorized file creation or modification.
2. Zero-Day Vulnerability: More concerning is the exploitation of a previously unknown zero-day vulnerability affecting WinRAR versions up to 7.12. This flaw leverages Alternative Data Streams (ADS) to write arbitrary payloads to system directories when archives are extracted or when files are opened directly from within them.
Attack Methodology
The group’s attack strategy centers on highly targeted phishing campaigns. Adversaries impersonate representatives from Russian research institutes and government ministries, sending malicious emails from compromised legitimate accounts, such as those belonging to furniture suppliers. These emails contain RAR archives disguised as official correspondence from organizations like the Russian Ministry of Industry and Trade.
BI.Zone analysts identified this campaign through their threat intelligence operations, noting the sophistication of the social engineering tactics employed to bypass initial user skepticism.
Technical Arsenal and Tracking Mechanisms
Paper Werewolf’s technical arsenal includes tracking mechanisms embedded within phishing emails. They utilize hidden 1×1 pixel images to determine whether recipients have opened their messages. This surveillance capability allows the attackers to gauge campaign effectiveness and potentially adjust their tactics based on victim engagement patterns.
Advanced Persistence and Payload Delivery Mechanisms
The malware’s persistence strategy demonstrates remarkable technical sophistication through its multi-stage deployment process. Upon successful exploitation, the campaign deploys two primary malware components designed for different operational phases:
1. xpsrchvw74.exe: This is a modified version of the legitimate XPS Viewer (version 6.1.7600.16385) with embedded malicious shellcode functioning as a reverse shell. This executable employs ROR13 hashing to obfuscate Windows API function names, connecting to command and control infrastructure at 89.110.88[.]155:8090 to provide remote shell access.
2. WinRunApp.exe: Operating as a .NET C# loader, this component is designed to retrieve and execute additional payloads directly in memory from remote servers. It implements mutex-based execution control using identifiers such as Sfgjh824nf6sdfgsfwe6467jkgg3vvvv3q7657fj436jh54HGFa56 to prevent multiple instances. The payload retrieval process incorporates victim system information, including computer names and usernames, appending this data to command and control URLs for targeted payload delivery.
Both malware variants achieve persistence by placing executable files and shortcuts within the Windows startup folder at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\, ensuring automatic execution upon system boot.
Underground Market for Exploits
The campaign’s discovery coincided with underground forum advertisements offering WinRAR zero-day exploits for $80,000. This suggests a possible commercial acquisition of exploit capabilities by the Paper Werewolf group. The availability of such exploits on the dark web underscores the lucrative nature of zero-day vulnerabilities and the lengths to which threat actors will go to obtain them.
Implications and Recommendations
The exploitation of WinRAR vulnerabilities by Paper Werewolf highlights the critical need for organizations to maintain up-to-date software and implement robust cybersecurity measures. Users are urged to update to WinRAR version 7.13, which addresses these vulnerabilities. Additionally, organizations should enhance email filtering to block suspicious attachments, conduct regular security awareness training for employees, and implement advanced threat detection mechanisms to identify and mitigate such sophisticated attacks.
In conclusion, the Paper Werewolf campaign serves as a stark reminder of the evolving tactics employed by cybercriminals and the importance of proactive cybersecurity practices to safeguard sensitive information and maintain system integrity.
