Arsenal honed against Russia's government organizations
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives containing SFX executables, which deploy obfuscated AutoIt scripts, legitimate AutoIt interpreters, and decoy PDF documents. The loader gathers system information, exfiltrates data to a C2 server, and potentially downloads additional malicious payloads. The attackers use deceptive file names matching the content of decoy documents to increase credibility. This campaign demonstrates the ongoing sophistication and adaptability of threat actors targeting Russian government organizations.
OPENCTI LABELS :
telegram,critical infrastructure,loader,government,autoit,sfx executables,rar archives
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Arsenal honed against Russia's government organizations