At a glance
| Actor / group | Clubfoot Wolf (cluster tracked by BI.ZONE) |
| Activity type | Phishing that deploys NetSupport Manager for remote access |
| Targets / victims | Russian firms across eight sectors; some in Belarus |
| Scale | Large-scale campaign in May and June 2026; no victim count confirmed |
| Law-enforcement status | No arrests or charges reported |
| Source | BI.ZONE Threat Intelligence |
TL;DR
BI.ZONE has detailed a phishing campaign by a cluster it calls Clubfoot Wolf. The group targets Russian companies, mostly chemical wholesalers. It hides a legitimate remote access tool inside fake purchase orders.
What happened
Clubfoot Wolf ran the campaign in May and June 2026. The attackers posed as buyers seeking a quote or invoice. Each email carried a ZIP archive with decoy documents and one malicious shortcut.
The decoys did real work. As BI.ZONE notes, “Decoy files are used to build trust with victims and convince them to open malicious attachments.” Opening the shortcut then ran a hidden PowerShell command, which quietly pulled and ran the next stage in memory.

The group also kept changing its approach. According to BI.ZONE, the cluster “experiments with delivery methods, modifying infection chains and masking techniques.” It used a URL shortener to hide its infrastructure. The final payload was NetSupport Manager, copied into a folder named “VoiceAssistant” with a startup registry entry for persistence.
Who is behind it
BI.ZONE tracks the activity as Clubfoot Wolf and describes the cluster as financially motivated. Beyond that label, attribution stays limited. Authorities have reported no arrests, and no named suspects face charges.
The tactics echo a wider trend. Several clusters now abuse NetSupport Manager against Russian firms, since the legitimate tool slips past many defenses.
Impact and scale
The campaign reached manufacturing, retail, e-commerce, agriculture, IT, transport, healthcare, and science. Chemical wholesalers were the main target. The attackers also struck a few firms in Belarus. However, BI.ZONE has not published a confirmed victim count, so treat scale as broad but unquantified.
How to stay protected
Treat unexpected purchase orders with care. Watch for ZIP archives that hide shortcut files. Block or inspect shortened links at the gateway.
Defenders should also flag NetSupport Manager launching from user profile folders. For full indicators, see BI.ZONE’s analysis of the Clubfoot Wolf campaign.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.