Massive offensive launched on Russian businesses
Essential information
- Published
- 09/07/2026 14:53
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- belarus chemical industry lnk file netsupport manager phishing campaign powershell loader russian targets url shortener
- Related entities
- 58 indicators, 18 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware
Description
In May and June 2026, the Clubfoot Wolf cluster executed a large-scale phishing campaign targeting Russian organizations across manufacturing, retail, e-commerce, agriculture, IT, transportation, healthcare, and science sectors, with primary focus on wholesale distributors of chemical products. Several Belarusian organizations were also compromised. The adversary sent phishing emails disguised as invoices or purchase requests, containing ZIP archives with decoy documents and malicious LNK files. Upon execution, a PowerShell script downloaded and installed NetSupport Manager, a legitimate remote administration tool, which was then used for malicious activities. The attackers employed URL shorteners to hide infrastructure and used multiple decoy files to build victim trust. The campaign demonstrated continuous evolution in delivery methods and infection chains.