Security researchers at BI.ZONE Threat Intelligence have uncovered a sophisticated campaign by the Paper Werewolf (GOFFEE) threat actor cluster that exploited both a known vulnerability and a previously unknown zero-day flaw in WinRAR archiving software.
The attacks, discovered in July 2025, demonstrate the group’s advanced capabilities in bypassing security defenses through carefully crafted phishing campaigns targeting Russian organizations.
CVE-2025-6218 Exploitation Campaign
The initial wave of attacks leveraged CVE-2025-6218, a directory traversal remote code execution vulnerability affecting WinRAR versions up to 7.11.
The threat actors impersonated representatives from Russian R&D institutes and government ministries, distributing malicious RAR files through compromised legitimate email accounts.
The malicious archive minprom_04072025.rar
exploited the vulnerability to extract files outside the intended target directory, specifically placing the executable xpsrchvw74.exe
in the Windows startup folder.
This file, a modified XPS Viewer embedded with malicious shellcode, established a reverse shell connection to the command and control server at 89.110.88[.]155:8090
.
The malware employed ROR13 hashing to obfuscate Windows API function names, demonstrating the attackers’ sophisticated evasion techniques.
Zero-Day Vulnerability Discovery
BI.ZONE researchers identified a second, more concerning attack vector involving a previously unknown zero-day vulnerability affecting WinRAR versions up to 7.12.
This flaw exploited the archiver’s handling of alternative data streams (ADS), allowing arbitrary payloads to be written to system directories during file extraction.
The zero-day campaign utilized archives like Запрос_Минпромторг_22.07.rar
, which created the malicious WinRunApp.exe
loader and corresponding startup shortcuts when victims opened decoy PDF files.
The C# loader established persistence by creating mutex Sfgjh824nf6sdfgsfwe6467jkgg3vvvv3q7657fj436jh54HGFa56
and continuously attempted to download additional payloads from compromised domains like IndoorVisions[.]org
.
Underground Marketplace Connection
Significantly, researchers discovered evidence of a potential connection between these attacks and cybercriminal marketplaces, with underground forum posts advertising a functional WinRAR zero-day exploit for $80,000.
While the specific relationship remains unconfirmed, the timing suggests Paper Werewolf may have purchased and adapted commercially available exploit code.
The vulnerability was subsequently patched in WinRAR version 7.13 following collaboration between ESET specialists and WinRAR developers.
This campaign highlights the continued effectiveness of archive-based malware delivery methods in evading email security filters, emphasizing the critical importance of maintaining updated software versions and implementing comprehensive security monitoring solutions.
Indicators of compromise
Exploitation of CVE-2025-6218
minprom_04072025.rar
MD5: 9a69b948e261363463da38bdbf828b14
SHA1: 40e647d61a00fd7240e54dba45ce95c5d33cae43
SHA256: fe2587dd8d9755b7b3a106b6e46519a1ce0a8191eb20821d2f957326dbf912e9
xpsrchvw.exe
MD5: 942220fc9382f44ae82061d1fc63f41e
SHA1: 7ff3d32e78c5626135a73bba4a011058f714ae86
SHA256: bf74820d40d281c28d5928b01e5b68d6caf85b5b9188bf4efb627765d708bcff
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates