The menace actor referred to as Uncommon Werewolf (previously Uncommon Wolf) has been linked to a sequence of cyber assaults focusing on Russia and the Commonwealth of Impartial States (CIS) international locations.
“A particular characteristic of this menace is that the attackers favor utilizing reputable third-party software program over growing their very own malicious binaries,” Kaspersky mentioned. “The malicious performance of the marketing campaign described on this article is carried out by command information and PowerShell scripts.”
The intent of the assaults is to ascertain distant entry to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The exercise impacted lots of of Russian customers spanning industrial enterprises and engineering faculties, with a smaller variety of infections additionally recorded in Belarus and Kazakhstan.
Uncommon Werewolf, additionally recognized by the names Librarian Ghouls and Rezet, is the moniker assigned to a complicated persistent menace (APT) group that has a monitor file of hanging organizations in Russia and Ukraine. It is believed to be energetic at the least since 2019.
Based on BI.ZONE, the menace actor obtains preliminary entry utilizing phishing emails, leveraging the foothold to steal paperwork, Telegram messenger knowledge, and drop instruments like Mipko Worker Monitor, WebBrowserPassView, and Defender Management to work together with the contaminated system, harvest passwords, and disable antivirus software program.
The most recent set of assaults documented by Kaspersky reveals the usage of phishing emails as a malware supply automobile, utilizing password-protected archives containing executable information as a place to begin to activate the an infection.
Current inside the archive is an installer that is used to deploy a reputable device referred to as 4t Tray Minimizer, in addition to different payloads, together with a decoy PDF doc that mimics a cost order.
“This software program can reduce working purposes to the system tray, permitting attackers to obscure their presence on the compromised system,” Kaspersky mentioned.
These intermediate payloads are then used to fetch extra information from a distant server, together with Defender Management and Blat, a reputable utility for sending stolen knowledge to an attacker-controlled e-mail tackle over SMTP. The assaults are additionally characterised by means of the AnyDesk distant desktop software program, and a Home windows batch script to facilitate knowledge theft and the deployment of the miner.
A salient facet of the batch script is that it launches a PowerShell script that includes capabilities for robotically waking up the sufferer system at 1 a.m. native time and permitting the attackers distant entry to it for a four-hour window by way of AnyDesk. The machine is then shut down at 5 a.m. by the use of a scheduled activity.
“It’s a frequent approach to leverage third-party reputable software program for malicious functions, which makes detecting and attributing APT exercise tougher,” Kaspersky mentioned. “All the malicious performance nonetheless depends on the installer, command, and PowerShell scripts.”
The disclosure comes as Optimistic Applied sciences revealed {that a} financially motivated cybercrime group dubbed DarkGaboon has been focusing on Russian entities utilizing LockBit 3.0 ransomware. DarkGaboon, first found in January 2025, is alleged to be operational since Might 2023.
The assaults, the corporate mentioned, make use of phishing emails bearing archive information containing RTF bait paperwork and Home windows screensaver information to drop the LockBit encryptor and trojans like XWorm and Revenge RAT. Using available tooling is seen as an try on the a part of the attackers to mix in with broader cybercriminal exercise and problem attribution efforts.
“DarkGaboon will not be a consumer of the LockBit RaaS service and acts independently, as indicated by means of a publicly out there model of the LockBit ransomware, the absence of traces of information exfiltration within the attacked corporations, and the standard threats to publish stolen data on the [data leak site] portal,” Optimistic Applied sciences researcher Victor Kazakov mentioned.