Paper Werewolf Exploiting WinRAR Zero‑Day Vulnerability to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated campaign by the Paper Werewolf threat actor group, also known as GOFFEE, targeting Russian organizations through the exploitation of critical vulnerabilities in WinRAR archiving software.

The campaign, active since July 2025, demonstrates the group’s advanced capabilities in leveraging both known and previously undiscovered security flaws to establish persistent access to victim systems.

The threat actor has weaponized two distinct WinRAR vulnerabilities in their attacks. The first, CVE-2025-6218, affects WinRAR versions up to and including 7.1 and enables directory traversal attacks that allow malicious archives to extract files outside their intended directories.

More concerning is the group’s exploitation of a zero-day vulnerability affecting WinRAR versions up to 7.12, which leverages Alternative Data Streams (ADS) to write arbitrary payloads to system directories when archives are extracted or files are opened directly from within them.

Paper Werewolf’s attack methodology centers on highly targeted phishing campaigns where adversaries impersonate representatives from Russian research institutes and government ministries.

The malicious emails, often sent from compromised legitimate accounts such as furniture suppliers, contain RAR archives disguised as official correspondence from organizations like the Russian Ministry of Industry and Trade.

BI.Zone analysts identified this campaign through their threat intelligence operations, noting the sophistication of the social engineering tactics employed to bypass initial user skepticism.

The group’s technical arsenal includes tracking mechanisms embedded within phishing emails, utilizing hidden 1×1 pixel images to determine whether victims have opened their messages.

This surveillance capability allows the attackers to gauge campaign effectiveness and potentially adjust their tactics based on victim engagement patterns.

Advanced Persistence and Payload Delivery Mechanisms

The malware’s persistence strategy demonstrates remarkable technical sophistication through its multi-stage deployment process. Upon successful exploitation, the campaign deploys two primary malware components designed for different operational phases.

The first component, xpsrchvw74.exe, represents a modified version of the legitimate XPS Viewer (version 6.1.7600.16385) with embedded malicious shellcode functioning as a reverse shell.

This executable employs ROR13 hashing to obfuscate Windows API function names, connecting to command and control infrastructure at 89.110.88[.]155:8090 to provide remote shell access.

The second component, WinRunApp.exe, operates as a .NET C# loader designed to retrieve and execute additional payloads directly in memory from remote servers.

This loader implements mutex-based execution control using identifiers such as “Sfgjh824nf6sdfgsfwe6467jkgg3vvvv3q7657fj436jh54HGFa56” to prevent multiple instances.

The payload retrieval process incorporates victim system information including computer names and usernames, appending this data to C2 URLs for targeted payload delivery.

Both malware variants achieve persistence by placing executable files and shortcuts within the Windows startup folder at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\, ensuring automatic execution upon system boot.

The campaign’s discovery coincided with underground forum advertisements offering WinRAR zero-day exploits for $80,000, suggesting possible commercial acquisition of exploit capabilities by the Paper Werewolf group.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.