Friday, June 21, 2024
HomeCyber SecuritySticky Werewolf Expands Cyber Assault Targets in Russia and Belarus

Sticky Werewolf Expands Cyber Assault Targets in Russia and Belarus

Jun 10, 2024NewsroomCyber Espionage / Malware

Sticky Werewolf

Cybersecurity researchers have disclosed particulars of a risk actor often called Sticky Werewolf that has been linked to cyber assaults focusing on entities in Russia and Belarus.

The phishing assaults had been aimed toward a pharmaceutical firm, a Russian analysis institute coping with microbiology and vaccine growth, and the aviation sector, increasing past their preliminary focus of presidency organizations, Morphisec stated in a report final week.

“In earlier campaigns, the an infection chain started with phishing emails containing a hyperlink to obtain a malicious file from platforms like,” safety researcher Arnold Osipov stated. “This newest marketing campaign used archive information containing LNK information pointing to a payload saved on WebDAV servers.”


Sticky Werewolf, one of many many risk actors focusing on Russia and Belarus reminiscent of Cloud Werewolf (aka Inception and Cloud Atlas), Quartz Wolf, Pink Wolf (aka RedCurl), and Scaly Wolf, was first documented by BI.ZONE in October 2023. The group is believed to be energetic since no less than April 2023.

Earlier assaults documented by the cybersecurity agency leveraged phishing emails with hyperlinks to malicious payloads that culminated within the deployment of the NetWire distant entry trojan (RAT), which had its infrastructure taken down early final 12 months following a legislation enforcement operation.

The brand new assault chain noticed by Morphisec includes the usage of a RAR archive attachment that, when extracted, accommodates two LNK information and a decoy PDF doc, with the latter claiming to be an invite to a video convention and urging the recipients to click on on the LNK information to get the assembly agenda and the e-mail distribution record.

Opening both of the LNK information triggers the execution of a binary hosted on a WebDAV server, which ends up in the launch of an obfuscated Home windows batch script. The script, in flip, is designed to run an AutoIt script that in the end injects the ultimate payload, on the identical time bypassing safety software program and evaluation makes an attempt.

“This executable is an NSIS self-extracting archive which is a part of a beforehand identified crypter named CypherIT,” Osipov stated. “Whereas the unique CypherIT crypter is not being offered, the present executable is a variant of it, as noticed in a few hacking boards.”

The top purpose of the marketing campaign is to ship commodity RATs and knowledge stealer malware reminiscent of Rhadamanthys and Ozone RAT.


“Whereas there isn’t any definitive proof pointing to a selected nationwide origin for the Sticky Werewolf group, the geopolitical context suggests potential hyperlinks to a pro-Ukrainian cyberespionage group or hacktivists, however this attribution stays unsure,” Osipov stated.

The event comes as BI.ZONE revealed an exercise cluster codenamed Sapphire Werewolf that has been attributed as behind greater than 300 assaults on Russian schooling, manufacturing, IT, protection, and aerospace engineering sectors utilizing Amethyst, an offshoot of the favored open‑supply SapphireStealer.

The Russian firm, in March 2024, additionally uncovered clusters known as Fluffy Wolf and Mysterious Werewolf which have used spear-phishing lures to distribute Distant Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy.

“The RingSpy backdoor permits an adversary to remotely execute instructions, receive their outcomes, and obtain information from community assets,” it famous. “The backdoor’s [command-and-control] server is a Telegram bot.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments