Approaching Cyclone: Vortex Werewolf Attacks Russia
Jan. 29, 2026, 8:04 a.m.
Description
A new cluster is spreading malware through phishing attacks targeting Russia. The attack methodology involves fake pages that imitate file downloads from Telegram. The article likely details the structure of these attacks, providing insights into how the malicious actors are exploiting user trust in the popular messaging platform to deliver their payload. This emerging threat, dubbed Vortex Werewolf, appears to be a sophisticated campaign specifically targeting Russian users or entities.
Tags
Date
- Created: Jan. 29, 2026, 7:39 a.m.
- Published: Jan. 29, 2026, 7:39 a.m.
- Modified: Jan. 29, 2026, 8:04 a.m.
Indicators
- 1ba396a8cd9af661e0a5ceb1107c787290cff3ab05b70a9c5154f4e040f716be
- 76542efd8113416322268676c8c32fc900661fe17db68a1ac9c2bcdcd936a7a6
- 42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066
- 86b1e4e48d1d4ce1acf291b21c2ffa806bca9b6cad6a6519263fa1705486eb94
- f27f0c47b708cabbc71e78eb28c4871834da0bc35c2693e145c01688d8e1bd13
- 85fba8ba8377974392b9147a2adf2d2955e9dfbb8d9e0659c7f90487b1105ae7
- 1cf423b7b55c2d7018262c847ba58e1955443e1d84ca0bca4f94f2a9cc5794d7
- de73c1b5597f091b5e42e5d5b4dc40a46ddee4682308f5bbe010a32ede57b111
- 1280cca4b520bfd018296c4d1645b7c9c8c7c4608752506285dad0e251b22e32
- 44abef9297d6573674b27416435c891317cfb9de8753d075806d5777563e6cc2
- 6efdf511512be5e256951813f2008ce2c4572d6ef191c69a62b7555aa33255ac
- a5c5a64b2da18aac04ddaaa3cd82f09bbad661da4aaca785edcf4bac94cb520a
- aeb3196090cb428bcea45e0cf24d2b53346e244b2115edb176da49ca912d8cdf
- 8f9029a5d5351078fc2f0b5499557c0f969b337817947314e37b2c7407ae2300
- fc8a6cc400dd822b6f5fc40c85a547cf7f266169edddb84a90f4b3f25956318c
- 2727d521ef98815ba82b2c2cc504123db59e1e4df487e3d6253280d21d00020e
- b4195e7584ac97d9c444ee6292160c80f9c889e6cba27cc656506d3c5fcffd48
- 558df469e8170f63da405ce42cf63900d81f0b38c3a70fa69e48b9aa11735345
- 2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082
- 8339333e1a1a8babc3fd72542e8fda58d19dd096cf2463867ca0328348338570
- 36d104a18c1e966b11253eb637a452288cb94ce240ee6fff7c2d14d7ae8086ee
- 8f4836cca1850053e87a769a84baed3cdde060ad3fce26f101a20b37375835f1
- 7ccf33529389ff080c1aaea1678c9f7a3546ab950670138f8a7f35c7638578cb
- 4111cda24ef547bc3296024cf94e0a0b43916c46d92f1d5c406ba241dcd6bb23
- ac8e6a47f795b6ea4bf1ddf2d4079337fd7d3798bcfe8773c28f9d429b83380b
- 176.169.236.210
- 190.62.5.156
- 82.117.243.191
- 73.94.43.159
- 158.174.146.87
- 78.63.213.108
- 103.17.154.137
- 24.134.5.121
- 188.116.26.254
- 85.117.251.69
- 77.128.112.133
- 86.206.9.78
- 193.138.81.106
- https://telegram-share.documtransfer.net/?folder=5f6a307A22&hash=4C90FCcEB9&cuid=VxBY1g&cloud_access=BEeB5A09Ad&tuid=2CbRT0
- https://telegram-files.trustedfiles.org/?cuid=vG7LLN&cloud_access=E20340B73A&tuid=2bWqrF&hash=d3BdF6F9Bd&folder=520e66fe3F
- https://telegram-files.trustedfiles.org/?nash=2BC8BD579d&cloud_access=06c434ED64&tuid=efGVBj&folder=8057d1704f&cuid=3e12KE
- https://telegram-files.trustedfiles.org/telegram/api/v1/file/111ea773e331412d06b1e8725df275f8/3e12KE/efGVBj/
- https://tg-media.guardedcloud.net/?access_hash=ceFFc8F817&cuid=nghdRm&code=A824c7d9D3&tuid=SuCmHG
- https://telegram-files.trustedfiles.org/?folder=009c027D11&tuid=1MM5Jx&cloud_access=f8CfeE6518&hash=a9D53e2Cd9&cuid=vG7LLN
Attack Patterns
- Vortex Werewolf
Additional Informations
- safedatabox.net
- teleinfo.safedatabox.net
- telegram-share.documtransfer.net
- documtransfer.net
- telegram-files.trustedfiles.org
- biavid.info
- trustedfiles.org
- 3lfdhuojbznd4fmunkkzr2m5zbnaibwuyvenclsoxvapylqv4pdldqad.onion
- documshare.org
- sectgfiles.biavid.info
- tg-box.documshare.org
- guardedcloud.net
- docs-telegram.guardedcloud.net
- tg-media.guardedcloud.net
- clgkhqmtssx4dgvhq5r4kb4anid4n375d2z5mqspuob3iyqvzyrxhoqd.onion
- amvlfdftchgyoie7femnnivsfnqzizrljm5rbixgsxpzgdavdtkhtlad.onion
- 2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion
- telegram.guardedcloud.net
- Russian Federation