Wednesday, May 7, 2025
Homecyber securityWerewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor

Werewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor

Published on

SIEM as a Service

Follow Us on Google News

Active since 2023, the Mysterious Werewolf cluster has shifted targets to the military-industrial complex (MIC) by using phishing emails with a weaponized archive. 

The archive contains a seemingly legitimate PDF document along with a malicious CMD file, and when the victim opens the archive and double-clicks the PDF, the CMD file executes, deploying the RingSpy backdoor onto the compromised system. 

Malware replaces the Athena agent of the Mythic framework, a strategy that Mysterious Werewolf previously employed in earlier campaigns. 

- Advertisement - Google News

An attacker known as Mysterious Werewolf is employing phishing emails laced with malicious archives that exploit the CVE-2023-38831 vulnerability in WinRAR to execute code.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Tactics have shifted, with the Athena agent being swapped for the RingSpy backdoor written in Python, where the group utilizes legitimate services to maintain control of compromised systems, using a Telegram bot as a command and control server.  

A malicious archive exploited a vulnerability in WinRAR (CVE-2023-38831) to launch a VBScript, downloading a malicious batch file (.vbs and 1.bat) by retrieving a download link from Yandex.

Downloading the file using the received link

Disk resource using a cURL command with OAuth credentials and then downloaded another batch file (i.bat) using the retrieved link, and after downloading the script, deleted the link file and executed the downloaded batch file through another VBScript call. 

Both the initial script (1.bat) and the downloaded script (i.bat) self-deleted after execution. The script first checks for an existing file to prevent re-installation and then retrieves a download link, downloads a decoy PDF, opens it, and deletes the link.

Distracting document

Next, it downloads the Python installer from the official website based on a predefined version, extracts it to a hidden local folder, and sets a configuration file to specify search paths for Python modules. 

Then it downloads the pip installer within the Python folder, uses pip to install additional libraries (requests and schedules), and cleans up by deleting the temporary installer script. 

Downloading the Python interpreter

An attacker is deploying a RingSpy backdoor using the Yandex Cloud API and a Python script, which is downloaded and executed through a VBScript file (.vbs) placed in the startup folder and the localAppData folder. 

The backdoor allows remote command execution, downloads files, and sends results to a Telegram bot through a control server. The script can also be scheduled to run every minute using PowerShell.

The downloaded files are saved in a specific folder, and network requests are made to the Telegram bot’s API to send data.  

Obtaining and running the pip installer

According to Bi.zone, the attacker likely gained initial access by sending a spearphishing email with an attachment. Once in, they used PowerShell, command prompts, VBScript, and Python to execute malicious code. 

They potentially exploited a WinRAR vulnerability (CVE-2023-38831) for further execution. To maintain persistence, they used scheduled tasks and startup folders. 

The attacker also attempted to evade defenses by deleting files and used techniques like file transfer and a Telegram bot for command and control.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses...

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security...

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...