The cyber espionage group Paper Werewolf has been employing advanced techniques to circumvent email security by embedding malware in seemingly legitimate archive files. This method exploits the widespread use of such attachments in business communications. Despite their sophistication, these attackers often use detectable tactics, highlighting the importance of continuous incident monitoring in corporate settings.
In July 2025, a phishing campaign was discovered where attackers impersonated a Russian research institution, sending emails from a compromised account. These emails contained a RAR archive exploiting a WinRAR vulnerability, allowing malicious files to be extracted outside their intended directories, such as the startup folder, enabling automatic execution.
The archive deployed a modified executable with embedded shellcode for a reverse shell connection to a command-and-control server. The attackers used obfuscation techniques to evade detection, while decoy files within the archive disguised the attack.
Paper Werewolf has further escalated their operations by exploiting a previously unknown zero-day vulnerability in WinRAR, patched in version 7.13. This flaw allows arbitrary payloads to be written to system directories, facilitating directory traversal attacks. Recent attacks involved malicious RAR files deploying a .NET loader that fetches and executes remote payloads from control servers.
The loader prevents multiple instances and queries the server with victim details, using specific User-Agent strings to blend with legitimate traffic. If successful, it loads a .NET assembly and executes configured methods.
These incidents underscore the group’s focus on exploiting compression tool vulnerabilities combined with social engineering for initial access. Organizations are urged to patch WinRAR, monitor for unusual archive extractions, and analyze network traffic to suspicious domains. Detectable tactics, such as embedded tracking pixels, offer opportunities for early detection through behavioral analytics.
