216.73.217.22

Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations

· Published 27/05/2025 16:45 · Modified 27/05/2025 17:15

Export JSON

Essential information

Published
27/05/2025 16:45
Modified
27/05/2025 17:15
Tags
2025-05-27 c# loader obfuscation phishing xdigo
Related entities
28 observables, 1 intrusion sets (apt), 15 techniques (mitre), 1 malware, 5 others

Description

Silent Werewolf has launched two new campaigns targeting Russian and Moldovan organizations, utilizing sophisticated loaders to deliver malicious payloads. The attacks employ emails with ZIP attachments containing obfuscated C# loaders. These loaders use legitimate tools and code to evade detection. The first campaign exclusively targeted Russian energy, aircraft, and engineering sectors, while the second focused on both Moldovan and Russian entities. The adversaries hinder payload retrieval, making analysis challenging. They also utilize the Llama 2 large language model in some instances to bypass defenses. The campaigns demonstrate the threat actor's evolving tactics and their continued focus on espionage in the region.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (28)

  • f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273
  • ea89ca6c00aea17ea97374e08c93e57fe2cf73a6ea36024cd659d757b51bda41
  • e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6
  • d8bf46a9919806112200cb52f6c235726d1b8102de1231ae4a956b7d292063ba
  • c8268c6d2aa536937366f242abdfdae0b5432d6abc2680c4577ac2a252010182
  • c10d77e36dba3b410480359812c771c2185b0c586bd5e23a6d2454aba45208f2
  • b923c1ee29c8fc5f96aae5128b6a4d414dd755ec0e11dbf636f7b92ba1e3d13e
  • b4f57e04bc7d0df696ece85ff6f9b306a4e2925c6fdb1e68c80726a974534ff3
  • af30d6c9431def22b93c52e7d7ba57a4290bbe6c94c7f822f0a5423c50671211
  • 9cb6e6b8b81e97645760cc6d05298c7079565a5c6c9de3fb760e771bb699e583
  • 95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd
  • 78a4e323910a0353d10fa19f8b003697d9d675ee9f15089d54dcfd8b7a9815c2
  • 73d35df23a6cce8c8b941730dec16b1f10945725ba696c7db784a5e4b65d4aa3
  • 6c8916e453c0fdcd9d4e1164d1f30c38ebe65aa6d26a0fb3f5586ed3fd33d1e9
  • 5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591
  • 59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894
  • 56f62aa193a254ea2607bb1f42971ebbe4e69631d0afb1f80beb6a89b83046ca
  • 47b2b73e87bf21a076c7bfba34d5eee5a136d3d43d19679d14f705db034a97d7
  • 448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6
  • 3d49a2ca08b48838fde89d3f349e08de3b58f3f9ddcdd07c8dff7559b5f01cba
  • 3b283c67f597b926784d9cc07b6a4020f422dcbc1b669c67d993606e663dc5ea
  • 23e1cde0493f7444508d56fabd6883f476b790b262040a90ae00beb31b85279c
  • 0d730d64432a80f950c0685f451606fde5dc27f7a58dcfe978c4cd784a08b0ef
  • 0d1b0d35dbf72bd6518d663eb0d66a91683e94435d3659d310e202e8c169d73a
  • cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa
  • 9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed
  • 536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d
  • 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3

Intrusion sets (APT) (1)

  • Silent Werewolf
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:54 · Modified 21/12/2025 13:54

Techniques (MITRE) (15)

Malware (1)

  • XDigo
    Family
    Published 26/06/2025 21:26 · Modified 26/06/2025 21:26

Others (5)

  • Moldova, Republic of
  • Russian Federation
  • Aerospace
  • Energy
  • Manufacturing

External references