Half of all threat actors targeting Russia’s energy sector are cyber spies

Sapphire Werewolf is the second espionage cluster in the last few months to have disguised phishing attempts as recruiter emails. This time, the adversaries focused on energy companies

April 9, 2025

Masquerading as HR representatives is uncommon to cyber spies, who typically pose as regulators or government agencies when contacting potential victims.

According to Threat Zone 2025, the BI.ZONE annual research of the cyber threat landscape in Russia and other CIS countries, the energy sector ranked among the top 10 most targeted industries in 2024. More than half of the clusters attacking energy organizations are primarily engaged in espionage.

Impersonating recruiters is relatively unpopular among these threat actors, accounting for less than one percent of registered cases. Cyber spies typically prefer to pose as regulators or government agencies. However, Sapphire Werewolf’s recent campaign marks the second instance in a short period where the attackers leverage HR‑themed phishing. In late 2024, Sqiud Werewolf employed a similar tactic, offering high-paying “job opportunities” via phishing emails.

In February 2025, we detected a new campaign by the notorious Sapphire Werewolf espionage cluster. This time, the adversaries attempted to infiltrate an energy company’s IT infrastructure to collect data. They distributed phishing emails disguised as official HR memos, delivering the updated Amethyst stealer to a victim’s computer. The attackers aimed to retrieve Telegram and browser credentials, remote desktop configuration files, and various types of documents.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

This is not the first campaign carried out by Sapphire Werewolf. In 2024, the cluster targeted Russian education, IT, defense, and aerospace organizations, using a modified SapphireStealer version to extract data. In the latest malware update, the threat actor introduced multiple checks for virtualized environments and a symmetric Triple Data Encryption Standard (DES) algorithm to impede the analysis. These improvements allow the attackers to more effectively bypass security solutions.

Like many other clusters, Sapphire Werewolf employs phishing emails to gain initial access to a victim’s infrastructure. These risks can be mitigated with email protection solutions like BI.ZONE Mail Security. The service features a high‑performance engine of our own design and incorporates various methods of email traffic analysis.

Building an effective cybersecurity strategy requires an understanding of adversaries’ methods and tools. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current cyber threat landscape, including data from underground resources. This intelligence can help you stay proactive and accelerate your incident response.