Actor threats known as Rare werewolf (Previously a rare wolf) was associated with a series of cyberattacks aimed at Russia and the Commonwealth of Independent Countries (CIS).
“The distinctive feature of this threat is that attackers prefer legal software – Note. “The malicious functionality of the company described in this article is implemented through command files and PowerShell scripts.”
The intention of the attacks is to establish remote access to the compromised hosts and powers of Siphon, as well as the deployment of the Xmrig cryptocurrency miner. Activities have influenced hundreds of Russian users covering industrial enterprises and engineering schools, with fewer infections also recorded in Belarus and Kazakhstan.
Rare werewolfAlso known as library werewolves and reset, is the nickname Track Record Strange organizations in Russia and Ukraine. It is believed that it has been actively working at least since 2019.
According to Bi.zone, the actor threats receive Initial access using phishing emails using the fixing document theft, Telegram Messenger data and Drop as MIPKO employees monitor. WebbrowserPassviewand Defender Control for interaction with the infected system, password crop and disabling antivirus software.
The latest set of attacks recorded by the Caspersorsky shows the use of phishing sheets as a vehicle to deliver malware, using an archives protected by a password containing executable files as a starting point to activate infection.
The archive contains an institution used to deploy a legitimate tool called 4T Minimizer, as well as other useful loads, including a document document that mimics the payment order.
“This software can minimize the launch of the system tray, which allows the attackers to obscure their presence in the compromised system,” Kaspersky said.
These intermediate use loads are used to obtain additional files from the remote server, including the control of the defenders and ImpudentA legitimate utility to send stolen data to a controlled attacker’s email address via SMTP. The attacks are also characterized by using the AnyDesk Remote Desktop software and the Windows Party scenarios to facilitate data theft and miner deployment.
A noticeable aspect of the batch script is that it launches the PowerShell scenario, which includes the capabilities for automatic victim systems at 1 o’clock in the local time and allows the attackers to be removed through the four -hour window through Anydesk. Then the machine closes at 5am with the planned assignment.
“This is a common technique to use the third legal software for malware, making the detection and attributing APT activity more complex,” Kaspersky said. “All malicious functionality is still based on installation, team and powershell.”
Disclosure occurs as positive technology disclosed The fact that the financially motivated group of cybercrime, dubbed DarkGaboon, is aimed at Russian structures using a ransom lockbit 3.0. Darkgaboon, For the first time discovered In January 2025, it is said to have been working since May 2023.
Attacks, notes companies Revenge Rat. The use of an easily accessible tool is considered as an attempt by attackers to combine with a wider cybercrime activity and to challenge the attribution’s efforts.
“DarkGaboon is not a customer of Lockbit Raa Service and acts independently, as showing the use of the publication version of Lockbit’s ransom, lack of traces of data exports in the strike companies and the traditional threats to publish stolen information (data leak site),” said a positive researcher of the winner of the Cossacks.
