In July 2025, a sophisticated cyberattack campaign was uncovered, targeting Russian organizations using WinRAR software vulnerabilities. The threat actors, known as Paper Werewolf, executed a series of phishing attacks exploiting a known vulnerability, CVE-2025-6218, in WinRAR versions up to 7.11. This flaw allowed them to execute remote code by distributing malicious RAR files that extracted harmful executables outside the intended directories, establishing a reverse shell connection to a command server.
Further investigation revealed a more troubling zero-day vulnerability affecting WinRAR versions up to 7.12, which manipulated the handling of alternative data streams. This allowed arbitrary payloads to be installed in system directories, establishing persistence and downloading additional malicious content.
The campaign’s connection to underground cybercriminal marketplaces was suggested by forum posts advertising a WinRAR zero-day exploit for $80,000. Although the link remains unconfirmed, it raises concerns about the commercialization of exploit codes. The vulnerabilities were addressed in WinRAR version 7.13, emphasizing the importance of software updates and comprehensive security monitoring to counter such sophisticated malware delivery methods.
