Paper Werewolf Exploits WinRAR Vulnerabilities in Espionage Campaigns

Red Dog Security

11 Aug 2025 — 1 min read

In July and early August 2025, the espionage-focused hacking group Paper Werewolf targeted multiple organizations in Russia and Uzbekistan. The campaign relied on phishing emails containing RAR archives that appeared to hold important documents but instead carried malware. The attackers exploited two vulnerabilities in WinRAR that allowed malicious software to be installed when an archive was extracted.

According to analysts at BI.ZONE, one of the group’s targets was a Russian manufacturer of specialized equipment. The attackers sent a phishing email impersonating a major research institute, using a compromised email account from an unrelated, legitimate company—a furniture manufacturer.

The attached RAR archive contained forged “documents from a ministry” alongside an executable file named XPS Viewer. While XPS Viewer is a legitimate application, the attackers had modified its executable to embed malicious code, enabling them to execute remote commands and seize control of the compromised system.

Researchers note that WinRAR is used by nearly 80% of Russian companies, and most employees with Windows-based corporate devices have it installed.

In the attack on the equipment manufacturer, Paper Werewolf exploited CVE-2025-6218, a vulnerability affecting WinRAR versions up to and including 7.11. Subsequent attacks in Russia and Uzbekistan leveraged a new, previously undisclosed zero-day affecting WinRAR version 7.12.

Shortly before these incidents, an advertisement appeared on a hacker forum offering what was allegedly a working exploit for this zero-day vulnerability, with the seller asking $80,000.

“Espionage-oriented threat groups continue to experiment with new methods and tools, expanding their arsenals with previously unknown vulnerabilities. By using RAR archives, attackers achieved two goals at once: exploiting WinRAR flaws to install malware, and increasing the likelihood that phishing emails would bypass filters—since such attachments are common in business correspondence,”
— Oleg Skulkin, Head of Threat Intelligence, BI.ZONE

Law Enforcement Shuts Down Fake Identity Creation Service VerifTools

The FBI and Dutch police have announced the takedown of VerifTools, an underground marketplace that specialized in producing fake identity documents. During the operation, authorities seized both physical and virtual servers located in Amsterdam. A Marketplace for Fake IDs VerifTools operated as a large-scale platform for creating and selling fraudulent

NX Falls Victim to Supply Chain Attack: Hackers Steal Thousands of Secrets

The maintainers of NX have disclosed a major supply chain attack, dubbed s1ngularity, which occurred on August 26, 2025. The compromise of a developer’s token allowed attackers to publish malicious versions of the popular npm package and related tools, enabling them to steal user data on a large scale.

Government Institutions in Nevada Closed Due to Cyberattack

The U.S. state of Nevada has suffered a large-scale cyberattack, forcing the temporary closure of government institutions and disrupting multiple state services. The incident, which began last weekend, has left authorities working for days to restore operations. Scope of the Disruption The attack affected government websites, telephone systems, and

Anthropic: Hackers Used Claude in a Large-Scale Cyber Operation

Anthropic reports that it has disrupted a large-scale malicious campaign in which attackers used its AI model, Claude, to steal personal data and extort ransoms that sometimes exceeded $500,000. In its published report, the company warns that AI-powered tools are increasingly being weaponized for cybercrime and fraud. To counter

Read more

Law Enforcement Shuts Down Fake Identity Creation Service VerifTools

NX Falls Victim to Supply Chain Attack: Hackers Steal Thousands of Secrets

Government Institutions in Nevada Closed Due to Cyberattack

Anthropic: Hackers Used Claude in a Large-Scale Cyber Operation