Sapphire Werewolf polishes open‑source stealer to spy on Russian organizations

Sapphire Werewolf sends out phishing emails with links generated by T.LY URL Shortener. One such link triggers the download of a malicious file instead of the anticipated documents. When opened, the file installs a malicious program, the Amethyst stealer, that hijacks the data.

To reduce the victim’s suspicion, a decoy document pops up simultaneously with the download of the malware. The document can be an enforcement order, a Central Election Committee leaflet, and even a decree from the President of Russia. The URL shortener tool serves the same purpose: to make sure the links look like legitimate.

The Amethyst stealer gathers sensitive information from the compromised computer. For example, password and cookie databases, browser and popular website histories, saved pages, text and other documents, as well as configuration files that enable the attackers to gain access to the victim’s Telegram account. The collected data is archived and transmitted to the adversaries’ Telegram bot.

According to Threat Zone 2024, 15% of attacks on organizations in Russia and other CIS countries over 2023 were driven by espionage, 76% by financial gain, and 9% by hacktivism.

In order to detect Sapphire Werewolf’s methods of gaining persistence on endpoints, we recommend implementing endpoint detection and response solutions, such as BI.ZONE EDR. Meanwhile, you can ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company with BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools.