Primitive Bear, a Russian state-sponsored hacking group, is exploiting a recently disclosed vulnerability in WinRAR (CVE-2025-6218) to target Ukrainian entities. Active since 2013 and linked to the FSB, this group has shifted tactics by using RAR archives to distribute malware. The article details several malware samples attributed to this group, all of which follow a similar pattern of using fake PDF files paired with HTML applications (HTA) to execute further malicious payloads. The samples analyzed include various documents with filenames that suggest they pertain to military and administrative contexts, such as subpoenas and information requests related to military units. Each file likely targets specific governmental or military personnel in Ukraine, as indicated by the translations of the filenames. The use of social engineering through spear-phishing tactics has been a hallmark of Primitive Bear's operations, and the current campaign reflects an evolution in their methods, leveraging legitimate-looking documents to bypass security measures. The analysis focuses on the structure of these files, revealing that the HTA files are designed to run scripts that load additional malware. This approach allows the attackers to maintain control over the infected systems and potentially exfiltrate sensitive information. Understanding the infrastructure and methodology of such attacks is critical for cybersecurity professionals, especially given the ongoing conflict in Ukraine and the heightened risk of cyber threats from state-sponsored actors.