Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Sapphire Werewolf – Threat Actor

January 23, 2025
Reading Time: 3 mins read
in Threat Actors
Sapphire Werewolf  – Threat Actor

Sapphire Werewolf

Location

Unknown

Date of initial activity

2024

Suspected Attribution 

Unknown

Government Affiliation

No

Motivation

Cyberwarfare
Data Theft

Associated Tools

Amethyst (an offshoot of SapphireStealer)
MicrosoftEdgeUpdate.exe (for persistence and downloading additional payloads)
FunnyCat.Microsoft.Win32.TaskScheduler.dll (for task scheduling)
Telegram Bot (for C2 communications and data exfiltration)

Software

Windows

Overview

Sapphire Werewolf is a sophisticated threat actor that has emerged as a significant player in the cyber espionage landscape since March 2024. This cluster of malicious activity targets a wide range of Russian industries, including education, manufacturing, IT, defense, and aerospace engineering. With a focus on acquiring sensitive employee authentication data, Sapphire Werewolf employs a blend of tactics that leverage both open-source and custom-built malware tools. Their primary weapon of choice is Amethyst, a modified version of the SapphireStealer open-source tool, designed to infiltrate systems through meticulously crafted phishing campaigns.

Common targets

Sapphire Werewolf primarily targets industries within Russia, including:
  • Education
  • Manufacturing
  • IT
  • Defense
  • Aerospace Engineering

Attack Vectors

Phishing

Software Vulnerabilities

How they operate

The attack lifecycle initiated by Sapphire Werewolf begins with a phishing campaign that employs deceptive emails to lure victims into downloading malicious attachments. These emails often come disguised as seemingly benign documents such as enforcement orders or official decrees. Once the recipient opens the attachment, a payload embedded within the file creates a hidden directory under %AppData%\Microsoft\EdgeUpdate, where it deposits a file named MicrosoftEdgeUpdate.exe. This file is crucial for the threat actor’s strategy as it ensures the malware’s persistence by creating a scheduled task in Windows Task Scheduler. This task, cleverly named MicrosoftEdgeUpdateTaskMachineCore, is set to execute every 60 minutes, thereby maintaining the malware’s foothold on the system. Upon execution, the malware performs several actions to secure its position within the victim’s network. It writes a decoy document to distract the user while it runs the Amethyst stealer. This stealer, a modified version of SapphireStealer, is designed to harvest a wide array of sensitive information. It collects credentials, cookies, and configuration files from various applications and browsers, including popular ones like Chrome, Opera, and Firefox. Additionally, the stealer targets files from Telegram Desktop and removable media, archiving them for exfiltration. The data collection process involves creating a UUID-named folder in a temporary directory, where all collected information is stored. After gathering the data, the stealer compresses it into an encrypted archive and sends it to a Command and Control (C2) server through a Telegram bot. This communication is secured through multiple Telegram tokens and user IDs to ensure persistent access even if primary tokens become unavailable. The stealer also retrieves additional control server addresses by scraping Telegram channels, further enhancing its operational flexibility. Sapphire Werewolf’s choice of Amethyst and the methodical approach to data collection and exfiltration highlight the group’s capability to adapt and refine existing tools to meet their objectives. Their use of established software libraries and scheduled tasks to achieve persistence demonstrates a clear understanding of evasion techniques, making detection and mitigation challenging for targeted organizations.

MITRE Tactics and Techniques

Phishing – T1566: The threat actor uses phishing emails with T.LY links to deliver the Amethyst stealer. Scheduled Task/Job – T1053: The adversaries create a scheduled task in Windows Task Scheduler to maintain persistence. Masquerading – T1036: The malware disguises itself as legitimate files, such as MicrosoftEdgeUpdate.exe. Data Staged – T1074: Collected data is stored in a UUID-named folder before being sent to the C2 server. Data Exfiltration – T1041: Data is exfiltrated via a Telegram bot, including sensitive files and credentials. Command and Control – T1071: Communication with the C2 server is conducted through Telegram.
References:
  • Sapphire Werewolf polishes Amethyst stealer to attack over 300 companies
Tags: Aerospace EngineeringAmethyst StealerDefenseEducationITmanufacturingMicrosoftPhishingRussiaSapphire WerewolfTelegramThreat ActorsWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

APT36 Targets Indian Defense Linux Systems

hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

Subscribe to our newsletter

    Latest Incidents

    Ransomware Attack Causes Outage at Ingram

    Call of Duty Players Hacked on Game Pass

    RansomHub Claims Theft of Coppell City Data

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial