Paper Werewolf Unleashed: Custom Stealers and AI-Assisted Loaders Target Global Industrial Hubs
Ddos 
A new wave of cyber espionage has been unleashed against Russian industrial, financial, and transport sectors, revealing a highly technical and maturing threat actor known as Paper Werewolf.
A recent investigation by BI.ZONE Threat Intelligence has exposed a sophisticated campaign active during March and April 2026. The group is making headlines not just for its persistence, but for its impressive array of custom-built tools and its ability to blend into legitimate network environments.
The analysis uncovered several previously undocumented malware instances that highlight Paper Werewolf’s technical evolution. Among these is a dedicated data exfiltration tool and complex loaders designed to keep the attackers under the radar.
“The analysis revealed several previously undescribed malware instances, including a custom-built stealer we dubbed PaperGrabber, loaders and downloaders written in C++, C#, Python, and JavaScript,” the report states.
Key findings from the report include:
- PaperGrabber Stealer: A specialized tool developed to harvest files from local and network drives, extract Telegram messenger data, and exfiltrate browser-stored credentials.
- EchoGather RAT: A remote access trojan distributed via phishing emails that mimic official requests, allowing adversaries to execute commands and move files.
- Custom Mythic Implants: The group is building its own implants for the Mythic post-exploitation framework, demonstrating a “high level of expertise and technical maturity.”
Paper Werewolf relies heavily on social engineering to gain initial access. In recent campaigns, they distributed phishing emails containing PDF attachments that masqueraded as “official requests” regarding industrial demand or flight school applications.
One notable tactic involves a “Phishing PDF” that claims a user’s Adobe Acrobat Reader is outdated. When the victim clicks “Install Update,” they unknowingly download a ZIP file containing an Inno Setup installer. This installer simulates a legitimate plugin installation while stealthily launching the EchoGather RAT in the background.
The group’s technical maturity is further evidenced by their use of legitimate interpreters to hide their activity. For instance, they have been seen using a legitimate Node.js interpreter (disguised as yandex.exe) to run malicious JavaScript downloaders.
“This enables the group to maintain covert access to compromised environments and evade detection for longer periods,” the report explains.
Furthermore, the group’s Python-based loaders appear to be following modern trends. BI.ZONE researchers noted that the structure and coding style of some loaders suggest they “may have been developed with the assistance of generative AI tools.”
By prioritizing the theft of SSH keys and cryptographic private keys, Paper Werewolf is clearly focused on long-term, high-value access. Their use of MD5-based deduplication and specific directory exclusions shows a refined process designed to efficiently exfiltrate only the most relevant data.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
