Paper Werewolf Exploits WinRAR Zero-Day Vulnerability to Deliver Malware

Cyber spies associated with the threat actor group Paper Werewolf have demonstrated advanced capabilities in bypassing email security filters by delivering malware through seemingly legitimate archive files, a tactic that exploits the commonality of such attachments in business correspondence.

Despite their sophistication, these attackers continue to rely on detectable tactics, techniques, and procedures (TTPs), underscoring the critical need for continuous 24/7 incident monitoring in corporate environments.

Phishing Campaigns Leverage Archive Exploits

In early July 2025, BI.ZONE Threat Intelligence uncovered a phishing campaign where adversaries impersonated a Russian R&D institute, sending emails from a compromised furniture supplier account.

These emails included a RAR archive named minprom_04072025.rar, which exploited CVE-2025-6218, a known WinRAR vulnerability enabling directory traversal.

This flaw allows malicious files to be extracted outside the intended directory, such as into the startup folder, facilitating automatic execution upon user login.

Upon extraction, the archive ...