The threat actor known as rare wolves (formerly wolves) is linked to a series of cyberattacks targeting Russia and independent states (CIS) countries.
“A distinctive feature of this threat is that it supports attackers using legal third-party software in developing their malicious binaries,” Kaspersky said. “The malicious features of the campaign described in this article are implemented through command files and PowerShell scripts.”
The purpose of the attack is to establish remote access to the compromised host and siphon credentials and deploy Xmrig Cryptocurrency Miner. The activity affected hundreds of Russian users across industrial companies and engineering schools, and reduced infections recorded in Belarus and Kazakhstan.
The unusual Werewolf, also known as Librarian Ghouls and Rezet, is a moniker assigned to the Advanced Persistent Threat (APT) group, with a track record of impressive organizations in Russia and Ukraine. It is believed to be active since at least 2019.
According to bi.zone, threat actors use phishing emails to gain initial access, leverage scaffolding to steal documents, drop tools such as Mipko Employee Monitor, WebBrowserPassView, and Defender Control to interact with infected systems, harvest passwords, and disable Antivirus software.
The latest attack set documented by Kaspersky reveals that it uses phishing emails as a malware delivery vehicle, using password-protected archives containing executables as the starting point for activating the infection.
Residing in the archive is an installer that is used to deploy legitimate tools called 4T Tray Minimizers, and other payloads containing decoy PDF documents that mimic payment orders.
“The software can minimize application execution into the system tray, allowing attackers to obscure their existence on the compromised system,” Kaspersky said.
These intermediate payloads are used to retrieve additional files from remote servers, such as Defender Control and Blat, legitimate utilities for sending stolen data via SMTP to attacker-controlled email addresses. The attack is also characterized by the use of AnyDesk remote desktop software and by Windows batch scripts that facilitate data theft and minor deployment.
A notable aspect of batch scripting is that it launches a PowerShell script that incorporates the ability to automatically awaken the victim system at 1am local time and allows attackers to remotely access a 4-hour window via AnyDesk. The machine will be shut down at 5am by a scheduled task.
“Utilizing third-party legal software for malicious purposes is a common technique, making it more difficult to detect and attribution of APT activities,” Kaspersky said. “All malicious features still rely on installers, commands, and PowerShell scripts.”
The disclosure is because the positive technology revealed that a financially motivated cybercrime group called Darkgaboon is targeting Russian entities using Lockbit 3.0 ransomware. The Darkgaboon, first discovered in January 2025, is said to have been in operation since May 2023.
The attack uses phishing emails containing RTF bait documents and archive files containing Windows screensaver files to drop Lockbit encryption and Trojan horses such as Xworm and Revenge Rat. The use of readily available tools is seen on the part of attackers as an attempt to consolidate with a wider range of cybercriminal activities and challenge attribution efforts.
“Darkgaboon is not a client of the Lockbit Raas service and acts independently, as demonstrated by the use of public versions of Lockbit ransomware, the lack of traces of data extraction in the attacked companies, and the absence of traditional threats of exposing stolen information. [data leak site] Portal: “Positive Technology researcher Victor Kazakov said.
Source link
