Fluffy Wolf Phishing Attacks Push PowerLoader Malware

Between March and May 2026, a notorious threat actor known as Fluffy Wolf ramped up its offensive operations to alarming new levels. Security researchers have uncovered a series of highly sophisticated Fluffy Wolf phishing attacks targeting Russian organizations across various critical sectors. These relentless threat actors deliberately set their sights on construction, consulting, manufacturing, engineering, retail, and e-commerce companies.

Using highly deceptive tactics, the attackers send emails masquerading as legitimate corporate communications regarding outstanding debts, reconciliation statements, or legal claims. To bypass modern email security gateways, the attackers heavily rely on malicious RAR attachments and external GitHub repository links. According to the comprehensive threat intelligence report from BI.ZONE, “Fluffy Wolf uses GitHub repository URLs in phishing emails. Because such links appear legitimate, they help the attackers bypass email filtering and network security controls while increasing the likelihood that recipients will open them.”

One of the most alarming aspects of these recent Fluffy Wolf phishing attacks is the actor strategic shift toward diversifying their delivery methods. While they still leverage classic droppers like PureCrypter and Rust-based loaders running Donut shellcode, they have added a potent new tool to their arsenal: PowerLoader. Marketed as a Malware-as-a-Service (MaaS) offering on underground hacker forums since April 2026 for around $100 per build, PowerLoader is an undocumented C++ downloader that executes almost entirely filelessly to bypass standard endpoint defenses like Windows Defender.

As explicitly stated in the report, “While the group continues to rely on the same core payloads (PureLogs, PureRAT, and Pay2Key), it has shifted its focus toward evolving and diversifying delivery methods. The adversaries introduced the third-party PowerLoader downloader to improve the chances of successful compromise and evasion.”

Once PowerLoader infiltrates a target host, it spawns hidden PowerShell instances to retrieve additional malicious scripts directly from the command-and-control (C2) server. These scripts systematically deploy the final payloads, which include the notorious Pay2Key ransomware, the PureLogs information stealer, and the PureRAT trojan. To remain hidden, the threat actors inject these payloads into trusted Windows processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe.

The PureLogs stealer actively harvests vast amounts of sensitive data, sweeping up browser credentials, search histories, and application data. Fluffy Wolf operators streamline their campaigns by categorizing this stolen data and routing it to dedicated server endpoints for easier monetization.

In a terrifying twist for network defenders, researchers analyzing these Fluffy Wolf phishing attacks discovered a brand-new capability within the PureRAT infections. For the very first time in attacks against Russian enterprises, the threat actors deployed “PluginRemote Desktop” for PureRAT. The report notes, “We detected PluginRemote Desktop for PureRAT, which had not previously been seen in attacks on Russian organizations.” This dangerous plug-in drastically expands the attackers’ control, allowing them to seamlessly capture desktop images, monitor active windows, and even manipulate mouse and keyboard input remotely.

The ultimate end game for many of these network compromises is financial extortion. When deploying the Pay2Key ransomware, the attackers employ heavy anti-forensic techniques to cover their tracks. For example, the ransomware uses the Windows fsutil command to overwrite its own executable file with zeros before completely deleting it. This effectively wipes the malware from the disk, preventing incident response teams from easily recovering the original ransomware binary for reverse engineering.

As cybercriminal syndicates like Fluffy Wolf continue to refine their sophisticated tradecraft, enterprise security teams must remain on high alert. By recognizing the telltale signs of these aggressive Fluffy Wolf phishing attacks, organizations can proactively implement tighter email filtering rules, restrict unauthorized PowerShell execution, and actively monitor for suspicious connections to unexpected GitHub repositories.