Mysterious Werewolf develops a backdoor to strike Russian defense industry targets

The group now uses its own malware instead of the legitimate open‑source tool of the previous campaigns. This makes the new attacks harder to detect

March 12, 2024

The Mysterious Werewolf cluster was first detected in 2023 and has since undertaken at least three campaigns against Russian defense enterprises.

To compromise the target infrastructures, the threat actors use phishing emails and exploit the CVE‑2023‑38831 vulnerability in WinRAR. The emails contain an archive with a decoy document posing as an official government agency letter and a malicious CMD file. Opening the decoy with WinRAR automatically runs the malicious file.

Thus, the victim’s device is infected with RingSpy, an original remote access backdoor that enables the adversaries to execute commands on the compromised computer and download files from it. The attackers manage the backdoor through a Telegram bot.

Last November, Mysterious Werewolf used a similar scheme to attack Russian industrial companies. Back then, they gained remote access with the help of the Athena agent of the Mythic C2 framework, which is a legitimate pentesting tool.

This time, Mysterious Werewolf combines legitimate services with its own malware. The goal of the threat actors is to complicate the detection of their attacks and remain invisible in the compromised infrastructure for as long as needed.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

You can ensure early attack detection and prevent escalation with BI.ZONE TDR. Meanwhile, latest insights from the BI.ZONE Threat Intelligence platform allow you to learn about new methods of threat actors and improve the effectiveness of your defenses.