Thrifty and nifty: Fluffy Wolf hits Russian companies with low‑cost malware

The threat actor targeted Russian organizations with phishing emails demanding settlement of “outstanding debts,” leveraging new inexpensive tools and GitHub repository URLs

June 9, 2026

From March to May 2026, BI.ZONE Threat Intelligence observed a series of phishing attacks by Fluffy Wolf. The adversaries targeted Russian organizations across multiple sectors, including construction, consulting, manufacturing, engineering, retail, and e‑commerce.

In its phishing emails, the group impersonated business partners or contractors of target companies. The attackers urged recipients to review the attached documents related to outstanding debts. The files included payment details, claims, and settlement demands.

We identified two delivery methods: malicious RAR attachments and GitHub repository URLs used to load archives containing malware. The RAR files concealed loaders, droppers, and a downloader designed to deploy the PureLogs stealer, the Pay2Key ransomware, and the PureRAT trojan on compromised systems. Rather than relying on custom‑built malware, the threat actor employed tools purchased on underground markets. An annual subscription to PureCrypter costs $449 while PureLogs and PureRAT are priced at $1,250 and $1,499, respectively.

In the latest campaign, Fluffy Wolf reduced its “opex:” PowerLoader likely cost them around $120. Overall, the entire toolkit used in these attacks is worth only several thousand dollars. Yet a single successful compromise can generate hundreds of thousands in profit—the average ransom demand in 2025 reached $193,000.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

While retaining the core arsenal, Fluffy Wolf diversified its delivery methods. In particular, the adversaries used PluginRemoteDesktop for PureRAT, which had not previously been observed in attacks targeting Russian organizations. The threat actor also acquired PowerLoader to improve the chances of successful compromise and evasion.

Another notable aspect of these campaigns was the use of GitHub repository URLs in phishing emails. Because such links appeared legitimate, recipients were more likely to open them. The attackers employed these URLs to bypass email filtering and network security controls.

According to Threat Zone 2026, 64% of targeted attacks in 2025 began with phishing emails, compared to 57% in 2024. Mitigating such threats requires adopting dedicated solutions like BI.ZONE Mail Security. The tool ensures multilayered email analysis, including anomaly detection in message content, inspection of URLs and attachments, and correlation of technical indicators with message behavior within mail traffic.

Building an effective cybersecurity strategy takes a comprehensive approach. Platforms such as BI.ZONE Threat Intelligence provide up‑to‑date details on current threats, attackers, tactics, techniques, tools, and exploited vulnerabilities.