News

Paper Werewolf Group Exploits WinRAR Vulnerabilities for Attacks

HackMag80

In July and early August 2025, the espionage hacking group Paper Werewolf attacked several organizations from Russia and Uzbekistan. The phishing emails had RAR archives attached, supposedly containing important documents, but in reality, they included malware. The attackers exploited two vulnerabilities in WinRAR, which allow the installation of malicious software when the archive is unpacked.

According to analysts from BI.ZONE, one of the group’s targets was a Russian manufacturer of special equipment. The attackers sent an email to the target on behalf of a large research institute, utilizing a compromised email address of another real company—a furniture manufacturer.

The RAR archive attached to the email contained fake “documents from the ministry” as well as an executable file for the XPS Viewer. This is a legitimate program, but the attackers modified its executable file by injecting malicious code. This enabled them to remotely execute commands and control the compromised device.

Researchers note that almost 80% of Russian companies and virtually all employees whose corporate devices run on Windows use WinRAR.

For attacking the aforementioned equipment manufacturer, Paper Werewolf exploited the vulnerability CVE‑2025‑6218, which affects WinRAR versions up to and including 7.11. In later attacks targeting companies in Russia and Uzbekistan, the attackers relied on a new, then-unknown zero-day vulnerability, which also affects WinRAR version 7.12.

Shortly before these attacks, an advertisement appeared on a hacking forum for the sale of a supposedly working exploit, presumably for this vulnerability. The seller was asking for $80,000 for it.

“Espionage-oriented groups continue to experiment with methods and tools, including adding new vulnerabilities to their arsenal. By using RAR archives, the attackers pursued two goals at once: not only exploiting vulnerabilities in WinRAR to install malware but also increasing the chances that the phishing email would bypass email filters, as such attachments are a common occurrence in business correspondence,” comments Oleg Skulkin, Head of BI.ZONE Threat Intelligence.

it? Share:
03.02.2025 —
PyPI introduces a project archival system to combat malicious updates
05.02.2025 —
Google patches Android zero-day vulnerability exploited by hackers
12.02.2025 —
2.8 million IP addresses used to brute-force network devices
27.01.2025 —
Zyxel firewalls reboot due to flawed update
10.03.2025 —
Nearly a million Windows computers impacted by a malvertising campaign
08.04.2025 —
Website of Everest ransomware group hacked and defaced
23.04.2025 —
Improper authentication control vulnerability affects ASUS routers with AiCloud
01.04.2025 —
Hackers abuse MU plugins to inject malicious payloads to WordPress
18.02.2025 —
Chrome Enhanced Protection mode is now powered by AI
15.04.2025 —
Hackers exploit authentication bypass bug in OttoKit WordPress plugin
03.06.2022 —
Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory
01.06.2022 —
Log4HELL! Everything you must know about Log4Shell
03.06.2022 —
Playful Xamarin. Researching and hacking a C# mobile app
03.06.2022 —
Vulnerable Java. Hacking Java bytecode encryption
12.01.2022 —
Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats
01.01.2022 —
It's a trap! How to create honeypots for stupid bots
09.02.2022 —
Kernel exploitation for newbies: from compilation to privilege escalation
13.02.2023 —
Ethernet Abyss. Network pentesting at the data link layer
03.03.2023 —
Nightmare Spoofing. Evil Twin attack over dynamic routing
01.06.2022 —
Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols