Ddos 
BI.ZONE Threat Intelligence has uncovered two new malicious campaigns attributed to the threat actor Silent Werewolf, once again demonstrating the group’s evolving arsenal of tools and techniques. These recent campaigns, conducted in March 2025, leveraged custom obfuscated loaders and advanced delivery chains to target Russian and Moldovan organizations in what appear to be cyber-espionage efforts.
“Phishing emails remain the adversaries’ preferred technique for targeted attacks, particularly those involving espionage,” the report states.
The first campaign began on March 11, 2025, exclusively targeting Russian organizations in sensitive sectors, including the nuclear energy, aviation, and mechanical engineering industries.
Silent Werewolf deployed a C#-based obfuscated loader, masked as documents like pre-action legal notices and construction project proposals. Victims received phishing emails with links to ZIP archives (e.g., proyekt.zip, dokazatelstva.zip) that contained:
- A malicious .LNK file
- A decoy PDF
- A legitimate Microsoft-signed executable (DeviceMetadataWizard.exe)
- A malicious DLL loader (disguised as d3d9.dll)
Once executed, the LNK file initiated a multi-stage unpacking process using embedded JScript.NET code, ultimately side-loading the malicious DLL and fetching an encrypted payload from a command-and-control (C2) server. To evade analysis, Silent Werewolf even used Llama 2 large language model downloads as a smokescreen in non-target environments.
“The loader retrieves the malicious payload from the C2 server, saves it to the host’s startup folder, and opens the decoy PDF,” BI.ZONE explains.
The second campaign, observed beginning March 18, 2025, extended operations to Moldovan organizations and possibly Russia again. This wave introduced a revamped loader hidden in archives named Grafik_SL_0525.zip and Rekomendatsii_032025.pdf.zip, masquerading as:
- Vacation schedules
- Cybersecurity recommendations
The infection chain here was more complex, involving:
- A malicious LNK file triggering a PowerShell-based extraction
- A config.bin file that included obfuscated MSBuild tasks, malicious DLLs, and decoys
- Execution of the payload via the MSBuild framework and temporary folders with randomized GUIDs
“The Build task initiates two subtasks… decrypts, decodes, and reconstructs these files, and opens a decoy PDF,” the report notes.
The C# loader used in this campaign checked environmental variables and user identity to avoid detection in sandbox or researcher systems. Upon validation, it decrypted and ran the payload stored at:
Silent Werewolf’s campaigns were meticulously crafted to delay analysis and maximize stealth:
- Legitimate tool usage (MSBuild, signed Microsoft DLLs)
- Obfuscation with Base64 and XOR encoding
- User-Agent spoofing to mimic Chrome traffic
- Environmental checks to bypass sandboxes and researcher systems
“The extensive use of legitimate tools and malware code obfuscation allows the attackers to stay undetected for longer periods,” the analysts emphasized.
Donate