Paper Werewolf Exploits WinRAR Zero-Day Vulnerability to Deliver Malware

Cyber spies associated with the threat actor group Paper Werewolf have demonstrated advanced capabilities in bypassing email security filters by delivering malware through seemingly legitimate archive files, a tactic that exploits the commonality of such attachments in business correspondence.

Despite their sophistication, these attackers continue to rely on detectable tactics, techniques, and procedures (TTPs), underscoring the critical need for continuous 24/7 incident monitoring in corporate environments.

Phishing Campaigns Leverage Archive Exploits

In early July 2025, BI.ZONE Threat Intelligence uncovered a phishing campaign where adversaries impersonated a Russian R&D institute, sending emails from a compromised furniture supplier account.

These emails included a RAR archive named minprom_04072025.rar, which exploited CVE-2025-6218, a known WinRAR vulnerability enabling directory traversal.

This flaw allows malicious files to be extracted outside the intended directory, such as into the startup folder, facilitating automatic execution upon user login.

Upon extraction, the archive deploys a modified XPS Viewer executable, xpsrchvw74.exe, embedded with shellcode for a reverse shell connecting to a command-and-control (C2) server at 89.110.88.155:8090.

The shellcode employs ROR13 hashing to obfuscate WinAPI function names, enhancing evasion. Decoy files within the archive, including PDFs and DOCX documents mimicking official correspondence, further disguise the attack.

Building on this, Paper Werewolf escalated their operations with a previously unknown zero-day vulnerability in WinRAR versions up to 7.12, patched in version 7.13.

This flaw exploits alternative data streams (ADS) in archive files, allowing arbitrary payloads to be written to system directories during extraction or direct file opening, enabling directory traversal attacks.

In an attack dated July 22, 2025, the malicious RAR file Запрос_Минпромторг_22.07.rar deployed WinRunApp.exe, a C#-based .NET loader that fetches and executes a remote payload in memory from C2 servers like indoorvisions.org.

Zero-Day Exploitation

The loader creates a mutex to prevent multiple instances, enters a loop to repeatedly query the C2 with victim details (hostname and username) appended to URLs, and uses specific User-Agent strings to blend with legitimate traffic.

If successful, it loads a .NET assembly via Assembly.Load and invokes methods from configured classes, such as EatLanguageSubject.AnswerEndSight.PainGroupStep.

Subsequent attacks on July 31 and August 1 involved archives DON_AVIA_TRANS_RU.rar and DON_AVIA_TRANS_UZ.rar, which embedded ADS in multiple decoy PDFs and an LNK file, deploying a similar WinRunApp.exe variant with slight modifications, including file existence checks and an updated mutex like Global_22576733.

According to the report, Configuration data specifies sleep intervals of around 330 seconds, ensuring persistent C2 communication.

Notably, an underground forum post offered a WinRAR zero-day exploit for $80,000, potentially linked to this vulnerability, suggesting Paper Werewolf may have acquired and adapted it for targeted espionage.

These incidents highlight the group’s focus on exploiting compression tool weaknesses for initial access, combining zero-days with social engineering.

Organizations should prioritize patching WinRAR, monitoring for anomalous archive extractions, and analyzing network traffic to suspicious domains.

The reliance on detectable TTPs, such as embedded tracking pixels in phishing emails, provides opportunities for early detection through behavioral analytics and threat intelligence integration.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!