Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Sticky Werewolf – Threat Actor

January 23, 2025
Reading Time: 4 mins read
in Threat Actors
Sticky Werewolf – Threat Actor

Sticky Werewolf

Location

Ukraine (Uncertain)

Date of initial activity

2023

Suspected Attribution 

Unknown

Government Affiliation

No

Associated Groups

Cloud Werewolf
Quartz Wolf
Red Wolf
Scaly Wolf
Inception
Cloud Atlas
RedCurl
Mysterious Warewolf

Motivation

Cyberwarfare

Associated Tools

CypherIT Loader/Crypter
AutoIt Scripts
NSIS Self-Extracting Archives
Batch Scripts
Rhadamanthys Stealer
Ozone RAT
MetaStealer
DarkTrack
NetWire

Software

Windows

Overview

Sticky Werewolf, a cyber threat group first identified in April 2023, has emerged as a sophisticated and elusive adversary with a penchant for high-profile targets. Despite the ambiguity surrounding their geographical origin and affiliations, the group’s operational patterns and target selection suggest they are driven by geopolitical motives or hacktivist objectives. Their initial focus on public sector organizations in Russia and Belarus has since expanded to include diverse sectors, notably pharmaceuticals and aerospace, reflecting a broadening scope and escalating sophistication in their cyber operations.

Common targets

Public Organizations in Russia and Belarus: Their early activities focused on public sector entities in these countries, suggesting an interest in geopolitical intelligence or local governmental affairs. Pharmaceutical Companies: They have targeted pharmaceutical firms, potentially aiming to access sensitive research data, proprietary information, or intellectual property related to medical advancements. Research Institutes: Particularly those involved in microbiology and vaccine development. This indicates a focus on scientific and technological advancements, possibly for espionage or competitive advantage. Aerospace Industry: Recent campaigns have targeted organizations in the aerospace sector, including companies involved in the production and maintenance of aircraft and spacecraft. This reflects a strategic interest in aerospace technologies and defense-related information. Defense Sector: Their operations have also extended to defense-related entities, aligning with their broader geopolitical and espionage objectives.

Attack Vectors

Phishing

Credential-based Attacks

How they operate

Phishing Email Execution
The Sticky Werewolf campaign begins with a meticulously crafted phishing email, masquerading as a legitimate business communication. In their latest attack, the email claims to be from the First Deputy General Director of AO OKB Kristall, a Moscow-based aerospace firm. This email entices recipients in the aerospace and defense sectors to engage in a seemingly routine video conference. The attachment, however, is a password-protected archive file that, once extracted, reveals a set of malicious components. The deception lies in the file’s appearance: it includes decoy documents, such as PDFs and LNK files, designed to mislead users into executing harmful payloads.
Malicious Archive and Payload Delivery
Upon extraction, the archive presents multiple files, including LNK files that point to malicious payloads hosted on WebDAV servers. The LNK files are crafted to execute a series of commands when clicked. The first LNK file, disguised as a meeting agenda, initiates a chain of processes designed to establish persistence and obfuscate the attack. It adds a registry entry to ensure the execution of a malicious executable from a network share upon system startup. Simultaneously, it displays a false error message to divert attention while copying decoy files from network shares. The second LNK file, masquerading as a mailing list, executes a command that runs a similar executable but uses different network paths, further complicating detection and analysis. This executable is a variant of the CypherIT crypter, which has been utilized in previous campaigns. It functions as an NSIS self-extracting archive, deploying a series of malicious files into the system’s temporary internet cache directory.
Execution and Obfuscation
The core component of Sticky Werewolf’s malware is a sophisticated batch script executed by the crypter. This script performs several critical functions: it delays execution if certain security processes are detected, changes filenames to evade detection, and concatenates files for further obfuscation. It also executes an AutoIt script that performs anti-analysis checks and establishes persistence. The AutoIt script is designed to bypass security measures and ensure the malware’s survival on the infected system.
Payload Injection and Final Stages
The AutoIt script is equipped with capabilities to handle various evasion techniques, including detecting and counteracting security emulators and replacing critical system files to prevent analysis. It employs RC4 encryption to decrypt the final payload, which is then injected into a legitimate AutoIt process using process hollowing techniques. This payload typically includes commodity RATs or stealers, such as Rhadamanthys Stealer and Ozone RAT, facilitating extensive espionage and data exfiltration.

MITRE Tactics and Techniques

Phishing (T1566) Spear Phishing Attachment (T1566.001) Command-Line Interface (T1059) Obfuscated Files or Information (T1027) Process Injection (T1055) Scheduled Task/Job (T1053) Registry Run Keys / Startup Folder (T1547.001) Persistence (T1543.003) Network Share Discovery (T1135) Data Staged (T1074) Exfiltration Over Command and Control Channel (T1041)

Impact / Significant Attacks

Pharmaceutical Industry Attack: Sticky Werewolf targeted a prominent pharmaceutical company, compromising sensitive research and development data. This attack exemplifies their focus on sectors with valuable intellectual property and potential for significant impact. Russian Research Institute Attack: The group targeted a Russian research institute specializing in microbiology and vaccine development. This attack underscores Sticky Werewolf’s interest in high-profile and high-value targets, particularly those involved in sensitive scientific research. Aviation Industry Campaign: In a recent campaign, Sticky Werewolf targeted the aviation industry with a sophisticated phishing scheme. The attack involved emails disguised as communications from the First Deputy General Director of AO OKB Kristall, aiming to exploit vulnerabilities within the aerospace and defense sector. European Government Entities: Sticky Werewolf has also been linked to attacks on government entities in Europe. These attacks involved targeted phishing campaigns and data exfiltration efforts, reflecting the group’s broader geopolitical motivations and their aim to access sensitive governmental information.
References:
  • Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks
  • Expanding Cyber Threats: Sticky Werewolf Targets Russia and Belarus
Tags: AerospaceBelarusHacktivistPharmaceuticalsPhishingRussiaSticky WerewolfThreat ActorsUkraine
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

PDFs Deliver QR Codes in Callback Scams

Critical Sudo Flaws Expose Linux Systems

Unkillable Mac Malware From North Korea

Subscribe to our newsletter

    Latest Incidents

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    Cyberattack Hits Medtech Firm Surmodics

    Rhysida Ransomware Hits German Charity WHH

    Hacker Accesses Max Financial’s User Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial