How a Russian Threat Actor Uses a Recent WinRAR Vulnerability in Their Ukraine Operations

Today we’re taking a look at several malware samples from the advanced persistent threat group “Primitive Bear” aka “Gamaredon”.

Primitive Bear is a Russian state-sponsored Advanced Persistent Threat (APT) group that has been active since at least 2013. With high confidence, the group is attributed to the Federal Security Service of the Russian Federation (FSB), Russia’s domestic intelligence service.

The most recently circulating malware samples caught my attention because they all follow the same pattern and exploit a newly disclosed vulnerability CVE-2025-6218 to load additional malware in later stages.

In this post, I want to walk you through the methodology and the infrastructure used by the attacker.

Below is an overview of the samples I analyzed that make use of CVE-2025-6218, along with their origin.

To read the complete article see: Source.