The menace actor generally known as Uncommon Werewolf (previously Uncommon Wolf) has been linked to a sequence of cyber assaults focusing on Russia and the Commonwealth of Unbiased States (CIS) nations.
“A particular function of this menace is that the attackers favor utilizing authentic third-party software program over creating their very own malicious binaries,” Kaspersky stated. “The malicious performance of the marketing campaign described on this article is applied via command information and PowerShell scripts.”
The intent of the assaults is to ascertain distant entry to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The exercise impacted a whole lot of Russian customers spanning industrial enterprises and engineering faculties, with a smaller variety of infections additionally recorded in Belarus and Kazakhstan.
Uncommon Werewolf, additionally recognized by the names Librarian Ghouls and Rezet, is the moniker assigned to a complicated persistent menace (APT) group that has a observe report of placing organizations in Russia and Ukraine. It is believed to be energetic at the least since 2019.
In keeping with BI.ZONE, the menace actor obtains preliminary entry utilizing phishing emails, leveraging the foothold to steal paperwork, Telegram messenger information, and drop instruments like Mipko Worker Monitor, WebBrowserPassView, and Defender Management to work together with the contaminated system, harvest passwords, and disable antivirus software program.
The most recent set of assaults documented by Kaspersky reveals using phishing emails as a malware supply automobile, utilizing password-protected archives containing executable information as a place to begin to activate the an infection.
Current inside the archive is an installer that is used to deploy a authentic device known as 4t Tray Minimizer, in addition to different payloads, together with a decoy PDF doc that mimics a fee order.
“This software program can decrease operating functions to the system tray, permitting attackers to obscure their presence on the compromised system,” Kaspersky stated.
These intermediate payloads are then used to fetch further information from a distant server, together with Defender Management and Blat, a authentic utility for sending stolen information to an attacker-controlled e mail deal with over SMTP. The assaults are additionally characterised by way of the AnyDesk distant desktop software program, and a Home windows batch script to facilitate information theft and the deployment of the miner.
A salient side of the batch script is that it launches a PowerShell script that includes capabilities for robotically waking up the sufferer system at 1 a.m. native time and permitting the attackers distant entry to it for a four-hour window by way of AnyDesk. The machine is then shut down at 5 a.m. by way of a scheduled job.
“It’s a widespread approach to leverage third-party authentic software program for malicious functions, which makes detecting and attributing APT exercise harder,” Kaspersky stated. “The entire malicious performance nonetheless depends on the installer, command, and PowerShell scripts.”
The disclosure comes as Constructive Applied sciences revealed {that a} financially motivated cybercrime group dubbed DarkGaboon has been focusing on Russian entities utilizing LockBit 3.0 ransomware. DarkGaboon, first found in January 2025, is alleged to be operational since Could 2023.
The assaults, the corporate stated, make use of phishing emails bearing archive information containing RTF bait paperwork and Home windows screensaver information to drop the LockBit encryptor and trojans like XWorm and Revenge RAT. The usage of available tooling is seen as an try on the a part of the attackers to mix in with broader cybercriminal exercise and problem attribution efforts.
“DarkGaboon is just not a consumer of the LockBit RaaS service and acts independently, as indicated by way of a publicly obtainable model of the LockBit ransomware, the absence of traces of information exfiltration within the attacked corporations, and the normal threats to publish stolen info on the [data leak site] portal,” Constructive Applied sciences researcher Victor Kazakov stated.
