Paper Werewolf Group Exploits WinRAR Zero-Day to Spread Malware

  • Post author:
  • Reading time:3 mins read

The cyber-espionage group Paper Werewolf (also identified as GOFFEE) is exploiting a zero-day flaw in WinRAR to target Russian entities. The campaign relies on phishing emails and weaponized archive files to evade defenses and deliver malware, underscoring the need for timely patching and proactive security monitoring.

Vulnerability Details

The threat actor has weaponized two distinct WinRAR vulnerabilities in their attacks. The first, CVE-2025-6218, affects WinRAR versions up to and including 7.11 and enables directory traversal attacks that allow malicious archives to extract files outside their intended directories.

More concerning is the group’s exploitation of a zero-day vulnerability affecting WinRAR versions up to 7.12, which leverages Alternative Data Streams (ADS) to write arbitrary payloads to system directories when archives are extracted or files are opened directly from within them.

Infection Method

Initial Access:
Attackers distribute spear-phishing emails impersonating Russian research institutes or government ministries. Messages are often sent from compromised legitimate accounts (e.g., suppliers) to increase credibility. The emails contain malicious RAR archives crafted to exploit WinRAR’s directory traversal flaw.

Exploitation:
When a victim extracts the malicious archive using WinRAR, the crafted file paths trigger directory traversal (CVE-2025-6218), causing payloads to be written outside the intended extraction folder into sensitive system directories.

Payload Deployment:

  • Malicious executables (e.g., WinRunApp.exe, xpsrchvw74.exe) and shortcut (.lnk) files are silently extracted into the Windows Startup folder.
  • This guarantees that the payload will execute automatically when the user logs in.

Persistence & Execution:

  1. On reboot, the malicious files are invoked from the Startup path, launching the malware.
  2. xpsrchvw74.exe (trojanized XPS Viewer) contains embedded shellcode that establishes a reverse shell to attacker-controlled C2 infrastructure.
  3. WinRunApp.exe functions as a .NET loader, retrieving additional payloads in memory from remote servers. Execution is mutex-controlled to prevent multiple instances.

Malware Behavior and Capabilities:

  • Command-and-Control: Reverse shell connects to 89.110.88[.]155:8090 for attacker interaction.
  • Information Gathering: Loader appends host data (computer name, username) to C2 requests to customize payload delivery.
  • Persistence: Startup folder shortcuts ensure repeated execution after reboot.
  • Obfuscation: Reverse shell employs ROR13 hashing to obscure API calls and hinder analysis.

Tactics and Techniques include:

  • TA0001 – Initial Access: Phishing emails with malicious RAR attachments (T1566).
  • TA0002 – Execution: Exploiting user execution by tricking them into opening malicious attachments (T1204).
  • TA0005 – Defense Evasion: Using ROR13 hashing to obfuscate Windows API function names and embedding tracking pixels in phishing emails (T1027).
  • TA0011 – Command and Control: Utilizing WinRunApp.exe to fetch and execute payloads from remote C2 servers (T1105).

Indicators of Compromise (IOCs)

File (CVE-2025-6218):

  • minprom_04072025.rar
    • MD5: 9a69b948e261363463da38bdbf828b14
    • SHA1: 40e647d61a00fd7240e54dba45ce95c5d33cae43
    • SHA256: fe2587dd8d9755b7b3a106b6e46519a1ce0a8191eb20821d2f957326dbf912e9

IP/Domain (CVE-2025-6218):

  • eliteheirs[.]org
  • 89.110.88.155:8090
  • 81.30.105.148
  • 213.171.4.200

File (Zero-Day):

  • DON_AVIA_TRANS_UZ.rar
    • MD5: eaba94b5237d2625fa38bc924e5347c4
    • SHA1: 6c0e52b8ed746b5b8ebef1ef2226093260659ae8
    • SHA256: d2c3fe8b9a4e0e5b7bcc087d52295ab30dc25b1410f50de35470383528c9d844

URL (Zero-Day):

  • hxxps://indoorvisions[.]org/patriarchal/furthering/creating/flared/censured?hostname=[hostname]&username=[username]
  • Variants with similar paths on trailtastic[.]org

Domain/IP (Zero-Day):

  • indoorvisions[.]org
  • trailtastic[.]org
  • 89.110.98.26
  • 94.242.51.73

Mutex:

  • Sfgjh824nf6sdfgsfwe6467jkgg3vvvv3q7657fj436jh54HGFa56
  • Global_22576733

Mitigation & Recommendations

To defend against these types of attacks, organizations should:

  • Prioritize patching WinRAR to the latest version (7.13 or later).
  • Monitor for anomalous archive extractions, especially from unusual locations.
  • Analyze network traffic for connections to suspicious domains and IPs.
  • Implement behavioral analytics and threat intelligence integration to detect unusual TTPs.
  • Provide continuous 24/7 incident monitoring.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.