Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus - The Hacker News

Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus Ravie LakshmananJun 10, 2024Cyber Espionage / Malware Cybersecurity researchers have disclosed details of a threat actor known as Sticky Werewolf that has been linked to cyber attacks targeting entities in Russia and Belarus. The phishing attacks were aimed at a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and the aviation sector, expanding beyond their initial focus of government organizations, Morphisec said in a report last week. "In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io," security researcher Arnold Osipov said. "This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers." Sticky Werewolf, one of the many threat actors targeting Russia and Belarus such as Cloud Werewolf (aka Inception and Cloud Atlas), Quartz Wolf, Red Wolf (aka RedCurl), and Scaly Wolf, was first documented by BI.ZONE in October 2023. The group is believed to be active since at least April 2023. Previous attacks documented by the cybersecurity firm leveraged phishing emails with links to malicious payloads that culminated in the deployment of the NetWire remote access trojan (RAT), which had its infrastructure taken down early last year following a law enforcement operation. The new attack chain observed by Morphisec involves the use of a RAR archive attachment that, when extracted, contains two LNK files and a decoy PDF document, with the latter claiming to be an invitation to a video conference and urging the recipients to click on the LNK files to get the meeting agenda and the email distribution list. Opening either of the LNK files triggers the execution of a binary hosted on a WebDAV server, which leads to the launch of an obfuscated Windows batch script. The script, in turn, is designed to run an AutoIt script that ultimately injects the final payload, at the same time bypassing security software and analysis attempts. "This executable is an NSIS self-extracting archive which is part of a previously known crypter named CypherIT," Osipov said. "While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in a couple of hacking forums."  The end goal of the campaign is to deliver commodity RATs and information stealer malware such as Rhadamanthys and Ozone RAT. "While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain," Osipov said. The development comes as BI.ZONE revealed an activity cluster codenamed Sapphire Werewolf that has been attributed as behind more than 300 attacks on Russian education, manufacturing, IT, defense, and aerospace engineering sectors using Amethyst, an offshoot of the popular open‑source SapphireStealer. The Russian company, in March 2024, also uncovered clusters referred to as Fluffy Wolf and Mysterious Werewolf that have used spear-phishing lures to distribute Remote Utilities, XMRig miner, WarZone RAT, and a bespoke backdoor dubbed RingSpy. "The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources," it noted. "The backdoor's [command-and-control] server is a Telegram bot." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, Malware, phishing attack, Remote Access Trojan, Threat Intelligence Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps