A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, utilizing advanced techniques to bypass defenses and enhance toolkits. The malware, delivered via compromised RAR files, created malicious executables in startup folders and connected to C2 servers. The threat actor demonstrated strong capabilities in exploiting zero-day vulnerabilities and modifying existing tools for their purposes. Multiple attack iterations were observed, with slight variations in payload delivery and execution methods. Author: AlienVault
Related Tags:
WinRunApp.exe
cve-2025-6218
directory traversal
c2
Zero-Day
rar
shellcode
Russian Federation
T1588
Associated Indicators:
2446F97C1884F70F97D68C2F22E8FC1B9B00E1559CD3CA540E8254749A693106
B115EF3AD9CB948213F7EFC4876CF67747EAC173B613B425ABD05DBA0E306EBD
FE2587DD8D9755B7B3A106B6E46519A1CE0A8191EB20821D2F957326DBF912E9
DFAB2F25C9D870F30BBC4ABB873D155CF4904ECE536714FB9CD32B2E0126DFAB
28A2B98AE214376CCD549A8B0DCCAFAD31C8B234D0B81A0E8817579566615567
BF74820D40D281C28D5928B01E5B68D6CAF85B5B9188BF4EFB627765D708BCFF
236ABA76D427111E8C140604EAD9C4AB86264B1AE197FC26FADB33C46BE94289
D2C3FE8B9A4E0E5B7BCC087D52295AB30DC25B1410F50DE35470383528C9D844
B610FF2AD9791D17203609D747C5DFE947304591