Thousand-faced spy: Silent Werewolf evolves its arsenal to stay undetected

This spring, the cluster leveraged new versions of its malware. The threat actor also introduced another tactic to obstruct incident reconstruction: instead of retrieving a malicious payload, it loaded a language model file. So far, Silent Werewolf’s recent campaigns were limited to a few dozen organizations

May 27, 2025

About 20% of attacks against Russian companies are espionage-driven. In these cases, adversaries’ primary objective is to steal sensitive data while remaining undetected and hinder further analysis as much as possible. To achieve this, they rely on custom-built tools and constantly seek new ways to disguise their malware.

In March 2025, we uncovered two new campaigns by Silent Werewolf, each demonstrating a subtle evolution in strategy. In both cases, the attackers employed unique loaders—instances designed to install themselves on a victim’s device and retrieve stealer malware from a C2 server.

The loaders were distributed via phishing emails disguised as messages from legitimate companies. Ironically, some targets received malicious files decoyed as cybersecurity recommendations.

Many organizations, especially larger ones, rely on sandboxing as part of their defenses. To detect potential malware, sandboxes execute suspicious files in a virtualized environment to analyze them for possible threats.

But Silent Werewolf managed to stay one step ahead. Once executed, its loader called a C2 server to retrieve an additional malware instance. However, if the loader was run in a country or organization that was of no interest to the attackers—or if it was rerun—it instead delivered a legitimate Llama language model file. This prevented sandbox environments from accessing the actual payload, effectively disrupting analysis of the entire attack chain.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

If run by a user within the target organization, the loader retrieved the malicious payload, thus compromising the system. However, if the loader was revalidated (e.g., in a sandbox), it loaded a legitimate Llama language model file instead of the payload.

The payload itself was not available at the time of our research as the adversaries had partially covered their tracks and dismantled the IT infrastructure used in the attacks. However, a retrospective analysis of similar Silent Werewolf campaigns suggests the likely use of XDigo stealer, also crafted by the threat actor.

The first of the two March campaigns focused on Russian organizations exclusively while the second targeted companies in Moldova and, presumably, Russia. The attackers attempted to compromise about 80 organizations across various industries, including nuclear, aircraft, instrumentation and mechanical engineering.

Phishing emails account for over 50% of all attacks targeting Russian organizations. You can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect your email communications. The solution carefully examines every incoming message using over 100 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This comprehensive inspection process does not delay the delivery of legitimate emails.

To enable early detection of attacks and immediate incident response, either automated or manual, we recommend implementing endpoint detection and response practices, for instance, BI.ZONE EDR.