Paper Werewolf targets Russia with WinRAR zero‑day vulnerability

Fig. 1. Phishing email

Fig. 2. Link to hidden image in phishing email

Fig. 3. Contents of minprom_04072025.rar

Fig. 4. Exploiting CVE-2025-6218

Fig. 5. Contents of письмо на СМ_(файл отображения).pdf (mapping file)

Fig. 6. Contents of Шаблон_запроса (7) (11).docx (request template)

Fig. 7. Fragment of malicious reverse shellcode

Fig. 8. Contents of Запрос_Минпромторг_22.07.rar

Fig. 9. Exploiting zero-day vulnerability in WinRAR

Fig. 10. Contents of запрос Минпромторга РФ.pdf

Fig. 11. Forum post offering WinRAR zero-day exploit for sale

Fig. 12. Loader configuration data

Fig. 13. Contents of DON_AVIA_TRANS_RU.rar

Fig. 14. Contents of DON_AVIA_TRANS_UZ.rar

Fig. 15. Exploiting vulnerability in archive

Fig. 16. Contents of Бриф компании.pdf

Fig. 17. Contents of Hamkorlik bo‘yicha aniqlashtiruvchi savollarga javoblar.pdf

Fig. 18. Contents of Презентация.pdf (Presentation.pdf)

Fig. 19. Checking for file existence; file execution

Fig. 20. Loader configuration data