{ "name": "Approaching Cyclone: Vortex Werewolf Attacks Russia", "slug": "approaching-cyclone-vortex-werewolf-attacks-russia", "description": "A new cluster is spreading malware through phishing attacks targeting Russia. The attack methodology involves fake pages that imitate file downloads from Telegram. The article likely details the structure of these attacks, providing insights into how the malicious actors are exploiting user trust in the popular messaging platform to deliver their payload. This emerging threat, dubbed Vortex Werewolf, appears to be a sophisticated campaign specifically targeting Russian users or entities.", "published": "2026-01-29T06:39:26+00:00", "created_at": "2026-01-29T06:39:26+00:00", "modified_at": "2026-01-29T07:04:37+00:00", "created_at_opencti": "2026-01-29T06:39:26+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-01-29", "cyclone", "fake pages", "file downloads", "phishing", "russia", "telegram" ], "related_entities": { "observables": [ { "id": "", "name": "176.169.236.210" }, { "id": "", "name": "190.62.5.156" }, { "id": "", "name": "82.117.243.191" }, { "id": "", "name": "73.94.43.159" }, { "id": "", "name": "158.174.146.87" }, { "id": "", "name": "78.63.213.108" }, { "id": "", "name": "103.17.154.137" }, { "id": "", "name": "24.134.5.121" }, { "id": "", "name": "188.116.26.254" }, { "id": "", "name": "85.117.251.69" }, { "id": "", "name": "77.128.112.133" }, { "id": "", "name": "86.206.9.78" }, { "id": "", "name": "193.138.81.106" }, { "id": "", "name": "https://telegram-share.documtransfer.net/?folder=5f6a307A22&hash=4C90FCcEB9&cuid=VxBY1g&cloud_access=BEeB5A09Ad&tuid=2CbRT0" }, { "id": "", "name": "https://telegram-files.trustedfiles.org/?cuid=vG7LLN&cloud_access=E20340B73A&tuid=2bWqrF&hash=d3BdF6F9Bd&folder=520e66fe3F" }, { "id": "", "name": "https://telegram-files.trustedfiles.org/?nash=2BC8BD579d&cloud_access=06c434ED64&tuid=efGVBj&folder=8057d1704f&cuid=3e12KE" }, { "id": "", "name": "https://telegram-files.trustedfiles.org/telegram/api/v1/file/111ea773e331412d06b1e8725df275f8/3e12KE/efGVBj/" }, { "id": "", "name": "https://tg-media.guardedcloud.net/?access_hash=ceFFc8F817&cuid=nghdRm&code=A824c7d9D3&tuid=SuCmHG" }, { "id": "", "name": "https://telegram-files.trustedfiles.org/?folder=009c027D11&tuid=1MM5Jx&cloud_access=f8CfeE6518&hash=a9D53e2Cd9&cuid=vG7LLN" }, { "id": "", "name": "1ba396a8cd9af661e0a5ceb1107c787290cff3ab05b70a9c5154f4e040f716be" }, { "id": "", "name": "76542efd8113416322268676c8c32fc900661fe17db68a1ac9c2bcdcd936a7a6" }, { "id": "", "name": "42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066" }, { "id": "", "name": "86b1e4e48d1d4ce1acf291b21c2ffa806bca9b6cad6a6519263fa1705486eb94" }, { "id": "", "name": "f27f0c47b708cabbc71e78eb28c4871834da0bc35c2693e145c01688d8e1bd13" }, { "id": "", "name": "85fba8ba8377974392b9147a2adf2d2955e9dfbb8d9e0659c7f90487b1105ae7" }, { "id": "", "name": "1cf423b7b55c2d7018262c847ba58e1955443e1d84ca0bca4f94f2a9cc5794d7" }, { "id": "", "name": "de73c1b5597f091b5e42e5d5b4dc40a46ddee4682308f5bbe010a32ede57b111" }, { "id": "", "name": "1280cca4b520bfd018296c4d1645b7c9c8c7c4608752506285dad0e251b22e32" }, { "id": "", "name": "44abef9297d6573674b27416435c891317cfb9de8753d075806d5777563e6cc2" }, { "id": "", "name": "6efdf511512be5e256951813f2008ce2c4572d6ef191c69a62b7555aa33255ac" }, { "id": "", "name": "a5c5a64b2da18aac04ddaaa3cd82f09bbad661da4aaca785edcf4bac94cb520a" }, { "id": "", "name": "aeb3196090cb428bcea45e0cf24d2b53346e244b2115edb176da49ca912d8cdf" }, { "id": "", "name": "8f9029a5d5351078fc2f0b5499557c0f969b337817947314e37b2c7407ae2300" }, { "id": "", "name": "fc8a6cc400dd822b6f5fc40c85a547cf7f266169edddb84a90f4b3f25956318c" }, { "id": "", "name": "2727d521ef98815ba82b2c2cc504123db59e1e4df487e3d6253280d21d00020e" }, { "id": "", "name": "b4195e7584ac97d9c444ee6292160c80f9c889e6cba27cc656506d3c5fcffd48" }, { "id": "", "name": "558df469e8170f63da405ce42cf63900d81f0b38c3a70fa69e48b9aa11735345" }, { "id": "", "name": "2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082" }, { "id": "", "name": "8339333e1a1a8babc3fd72542e8fda58d19dd096cf2463867ca0328348338570" }, { "id": "", "name": "36d104a18c1e966b11253eb637a452288cb94ce240ee6fff7c2d14d7ae8086ee" }, { "id": "", "name": "8f4836cca1850053e87a769a84baed3cdde060ad3fce26f101a20b37375835f1" }, { "id": "", "name": "7ccf33529389ff080c1aaea1678c9f7a3546ab950670138f8a7f35c7638578cb" }, { "id": "", "name": "4111cda24ef547bc3296024cf94e0a0b43916c46d92f1d5c406ba241dcd6bb23" }, { "id": "", "name": "ac8e6a47f795b6ea4bf1ddf2d4079337fd7d3798bcfe8773c28f9d429b83380b" } ], "intrusion_sets": [ { "id": "e3188036-84f8-4c41-819b-b95fcd7d7988", "name": "Vortex Werewolf", "slug": "vortex-werewolf" } ], "others": [ { "id": "", "name": "Russian Federation" }, { "id": "", "name": "safedatabox.net" }, { "id": "", "name": "teleinfo.safedatabox.net" }, { "id": "", "name": "telegram-share.documtransfer.net" }, { "id": "", "name": "documtransfer.net" }, { "id": "", "name": "telegram-files.trustedfiles.org" }, { "id": "", "name": "biavid.info" }, { "id": "", "name": "trustedfiles.org" }, { "id": "", "name": "3lfdhuojbznd4fmunkkzr2m5zbnaibwuyvenclsoxvapylqv4pdldqad.onion" }, { "id": "", "name": "documshare.org" }, { "id": "", "name": "sectgfiles.biavid.info" }, { "id": "", "name": "tg-box.documshare.org" }, { "id": "", "name": "guardedcloud.net" }, { "id": "", "name": "docs-telegram.guardedcloud.net" }, { "id": "", "name": "tg-media.guardedcloud.net" }, { "id": "", "name": "clgkhqmtssx4dgvhq5r4kb4anid4n375d2z5mqspuob3iyqvzyrxhoqd.onion" }, { "id": "", "name": "amvlfdftchgyoie7femnnivsfnqzizrljm5rbixgsxpzgdavdtkhtlad.onion" }, { "id": "", "name": "2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion" }, { "id": "", "name": "telegram.guardedcloud.net" } ] }, "external_refs": [ "https://bi.zone/expertise/blog/nadvigayushchiysya-tsiklon-vortex-werewolf-atakuet-rossiyu/", "https://otx.alienvault.com/pulse/697b0eae1add7406158cd075" ] }