Paper Werewolf cyber spies exploit WinRAR vulnerabilities

In July and early August 2025, the Paper Werewolf espionage cluster targeted several organizations in Russia and Uzbekistan. The adversaries distributed phishing emails with RAR attachments supposedly including important documents, which actually delivered malware. The threat actor exploited two vulnerabilities in WinRAR, enabling the covert installation of malware on victims’ devices upon archive extraction.

One of Paper Werewolf’s targets was a Russian manufacturer of specialized equipment. The adversaries impersonated a major R&D institute, using a compromised email address of a legitimate furniture company. The attached RAR archive contained files labeled as “documents from the ministry” and an XPS Viewer executable. While the latter is legitimate software, the threat actor had modified its executable file to include malicious code. This enabled them to remotely run commands and manipulate the compromised device.

In their attack on an equipment manufacturer, Paper Werewolf exploited the CVE‑2025‑6218 vulnerability which affects WinRAR versions up to and including 7.11. In subsequent campaigns against organizations in Russia and Uzbekistan, the adversaries opted for a new, not yet described zero‑day vulnerability affecting version 7.12. Notably, shortly before these incidents, a post had appeared on an underground forum offering an allegedly functional exploit for $80,000 (presumably for the second vulnerability).

According to BI.ZONE TDR, 79% of Russian companies rely on WinRAR in their daily operations, and nearly 100% of Windows‑based corporate devices have the archiver installed. A WinRAR representative previously reported that the company sold around 10,000 licenses per month. This makes the archiver one of the most popular utilities among both individual and corporate users.

According to the estimates of BI.ZONE Threat Intelligence, 36% of all attacks on Russia since the beginning of 2025 have been espionage‑driven.