Manufacturing and engineering leap ahead of finance as prime cyber targets

This makes them the most frequently attacked industries after the public sector

December 17, 2025

According to BI.ZONE Threat Intelligence, since the beginning of 2025, manufacturing and engineering together have accounted for 12% of all cyberattacks. This places them second among the most targeted sectors—behind government organizations (13%) and ahead of finance and logistics (11% combined).

Currently, 63 clusters focus on Russian manufacturing and engineering enterprises. 32 of these threat actors are primarily espionage‑driven. Such adversaries typically develop and refine their custom malware toolkits, building complex attack chains. Their objective is to stay undetected in a compromised infrastructure for as long as possible while exfiltrating sensitive data.

In October and November 2025, our team tracked a series of attacks on Russian manufacturing and engineering organizations, attributed to the Arcane Werewolf cyber spies. Masquerading their ploys as legitimate business correspondence, the adversaries distributed malware via phishing links. This time, they employed a particularly sophisticated deception: the С2 server hosting the malicious files replicated the website of another company within the target’s corporate group.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

After clicking the link in a phishing email, victims were redirected to a website mimicking a corporate file‑sharing platform. The page was styled and colored to match the legitimate website of the impersonated company. For more credibility, the “platform” displayed the organization’s logo, and the URL imitated the legitimate domain. From this page, a ZIP file was downloaded to a target device. The archive contained several equipment photos and a malicious LNK disguised as an official PDF document.

When opened, this file fetched a dropper from the C2 server and executed it. The malware contained a decoy (e.g., an official audit report, internal investigation notice) and the Loki loader. The latter collected basic host information (e.g., device name, username, OS version, internal IP address), exfiltrated it, and then loaded and executed the Loki implant. The implant acted as a remote access trojan (RAT), enabling the adversaries to covertly execute various commands on the compromised device.

Earlier in 2025, BI.ZONE Threat Intelligence uncovered another campaign targeting Russian manufacturing enterprises, which exploited a vulnerability in the widely used WinRAR archiver. Presumably, the threat actor purchased the respective exploit on an underground forum for approximately $80,000.

Attacks similar to those by Arcane Werewolf are not only critical to detect but also to neutralize before they affect the infrastructure. This is where endpoint detection and response solutions, such as BI.ZONE EDR, can be of use. An organization can also leverage dedicated platforms like BI.ZONE Threat Intelligence to gain insights into ongoing cyberattacks, threat actors, their tactics, techniques, tools, and exploited vulnerabilities. This intelligence can help you stay proactive and accelerate your incident response.