Cyber Defense Advisors

Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus

Cybersecurity researchers have disclosed details of a threat actor known as Sticky Werewolf that has been linked to cyber attacks targeting entities in Russia and Belarus.

The phishing attacks were aimed at a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and the aviation sector, expanding beyond their initial focus of government organizations, Morphisec said in a report last week.

“In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io,” security researcher Arnold Osipov said. “This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.”

Sticky Werewolf, one of the many threat actors targeting Russia and Belarus such as Cloud Werewolf (aka Inception and Cloud Atlas), Quartz Wolf, Red Wolf (aka RedCurl), and Scaly Wolf, was first documented by BI.ZONE in October 2023. The group is believed to be active since at least April 2023.

Previous attacks documented by the cybersecurity firm leveraged phishing emails with links to malicious payloads that culminated in the deployment of the NetWire remote access trojan (RAT), which had its infrastructure taken down early last year following a law enforcement operation.

The new attack chain observed by Morphisec involves the use of a RAR archive attachment that, when extracted, contains two LNK files and a decoy PDF document, with the latter claiming to be an invitation to a video conference and urging the recipients to click on the LNK files to get the meeting agenda and the email distribution list.

Opening either of the LNK files triggers the execution of a binary hosted on a WebDAV server, which leads to the launch of an obfuscated Windows batch script. The script, in turn, is designed to run an AutoIt script that ultimately injects the final payload, at the same time bypassing security software and analysis attempts.

“This executable is an NSIS self-extracting archive which is part of a previously known crypter named CypherIT,” Osipov said. “While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in a couple of hacking forums.”

The end goal of the campaign is to deliver commodity RATs and information stealer malware such as Rhadamanthys and Ozone RAT.

“While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain,” Osipov said.

The development comes as BI.ZONE revealed an activity cluster codenamed Sapphire Werewolf that has been attributed as behind more than 300 attacks on Russian education, manufacturing, IT, defense, and aerospace engineering sectors using Amethyst, an offshoot of the popular open‑source SapphireStealer.

The Russian company, in March 2024, also uncovered clusters referred to as Fluffy Wolf and Mysterious Werewolf that have used spear-phishing lures to distribute Remote Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy.

“The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources,” it noted. “The backdoor’s [command-and-control] server is a Telegram bot.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.