Paper Werewolf targets Russia with WinRAR zero-day vulnerability

SUMMARY :

A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, utilizing advanced techniques to bypass defenses and enhance toolkits. The malware, delivered via compromised RAR files, created malicious executables in startup folders and connected to C2 servers. The threat actor demonstrated strong capabilities in exploiting zero-day vulnerabilities and modifying existing tools for their purposes. Multiple attack iterations were observed, with slight variations in payload delivery and execution methods.

OPENCTI LABELS :

phishing,c2,zero-day,directory traversal,shellcode,rar,winrar,cve-2025-6218,xpsrchvw74.exe,winrunapp.exe


AI COMMENTARY :

1. Introduction In recent months, security researchers have uncovered a sophisticated campaign by the Paper Werewolf cluster, also known as GOFFEE, targeting Russian organizations through a WinRAR zero-day vulnerability. This campaign exploited both CVE-2025-6218 and an unpatched zero-day flaw, leveraging phishing emails that masqueraded as legitimate communications from trusted Russian entities. By delivering malicious archives and cleverly crafted shellcode, the adversary was able to bypass conventional defenses and maintain persistent access to compromised systems.

2. The Paper Werewolf Cluster The threat actor behind this operation, GOFFEE, has demonstrated a high level of technical expertise. Their choice of WinRAR as an attack vector allowed them to employ directory traversal techniques and embed shellcode within seemingly innocuous RAR files. The cluster’s persistent ability to modify existing toolkits and incorporate newly discovered zero-day vulnerabilities underscores their advanced capabilities and resourcefulness in threat development and deployment.

3. Exploitation of WinRAR Flaws Central to this campaign were vulnerabilities in the WinRAR archive utility, including the widely publicized CVE-2025-6218 and an as-yet-unpatched zero-day. These flaws enabled attackers to escape extraction boundaries and execute arbitrary code on target machines. By exploiting directory traversal, the adversary planted malicious executables directly into startup folders, ensuring automatic execution. This approach effectively undermined host defenses and provided seamless entry into operational environments.

4. Malware Delivery and Execution The initial intrusion vector relied on carefully crafted phishing emails, purporting to originate from Russian governmental or corporate entities. Victims who opened the attached RAR archives inadvertently triggered the deployment of two primary payloads: xpsrchvw74.exe and winrunapp.exe. Once executed, these payloads established connections to C2 servers over encrypted channels, facilitating data exfiltration and remote control. The rapid evolution of these payloads, including minor variations in execution methods, highlights the actor’s agility in fine-tuning their malware suite.

5. Variations and Iterations Over the course of the campaign, multiple attack iterations were observed. Each iteration featured slight modifications to the payload delivery mechanism, ranging from different archive compression settings to alternative obfuscation techniques in shellcode. Despite these variations, the underlying strategy remained consistent: leverage WinRAR’s vulnerabilities to gain a foothold, deploy persistent executables, and establish resilient c2 channels for ongoing operations.

6. Defensive Measures and Insights Organizations can mitigate the risk posed by actors like Paper Werewolf by ensuring prompt patching of WinRAR vulnerabilities, including CVE-2025-6218. Implementing email filtering to detect and quarantine phishing attempts, combined with endpoint solutions that monitor for anomalous extraction behaviors, can further reduce exposure. Finally, maintaining network visibility for unusual outbound connections to c2 domains and conducting regular threat hunting exercises will help uncover any latent compromises before significant damage occurs.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Paper Werewolf targets Russia with WinRAR zero-day vulnerability