Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations

May 27, 2025, 5:15 p.m.

Description

Silent Werewolf has launched two new campaigns targeting Russian and Moldovan organizations, utilizing sophisticated loaders to deliver malicious payloads. The attacks employ phishing emails with ZIP attachments containing obfuscated C# loaders. These loaders use legitimate tools and code obfuscation to evade detection. The first campaign exclusively targeted Russian energy, aircraft, and engineering sectors, while the second focused on both Moldovan and Russian entities. The adversaries hinder payload retrieval, making analysis challenging. They also utilize the Llama 2 large language model in some instances to bypass defenses. The campaigns demonstrate the threat actor's evolving tactics and their continued focus on espionage in the region.

External References

https://bi-zone.medium.com/malware-or-llm-silent-werewolf-employs-new-loaders-to-attack-russian-and-moldovan-organizations-c4135e2ec17c
https://otx.alienvault.com/pulse/6835ec34a49fc3b818e049b7
Tags
obfuscation
phishing
2025-05-27
c# loader
xdigo

Date

  • Created: May 27, 2025, 4:45 p.m.
  • Published: May 27, 2025, 4:45 p.m.
  • Modified: May 27, 2025, 5:15 p.m.

Indicators

  • f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273
  • ea89ca6c00aea17ea97374e08c93e57fe2cf73a6ea36024cd659d757b51bda41
  • e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6
  • d8bf46a9919806112200cb52f6c235726d1b8102de1231ae4a956b7d292063ba
  • c8268c6d2aa536937366f242abdfdae0b5432d6abc2680c4577ac2a252010182
  • c10d77e36dba3b410480359812c771c2185b0c586bd5e23a6d2454aba45208f2
  • b923c1ee29c8fc5f96aae5128b6a4d414dd755ec0e11dbf636f7b92ba1e3d13e
  • b4f57e04bc7d0df696ece85ff6f9b306a4e2925c6fdb1e68c80726a974534ff3
  • af30d6c9431def22b93c52e7d7ba57a4290bbe6c94c7f822f0a5423c50671211
  • 9cb6e6b8b81e97645760cc6d05298c7079565a5c6c9de3fb760e771bb699e583
  • 95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd
  • 78a4e323910a0353d10fa19f8b003697d9d675ee9f15089d54dcfd8b7a9815c2
  • 73d35df23a6cce8c8b941730dec16b1f10945725ba696c7db784a5e4b65d4aa3
  • 6c8916e453c0fdcd9d4e1164d1f30c38ebe65aa6d26a0fb3f5586ed3fd33d1e9
  • 5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591
  • 59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894
  • 56f62aa193a254ea2607bb1f42971ebbe4e69631d0afb1f80beb6a89b83046ca
  • 47b2b73e87bf21a076c7bfba34d5eee5a136d3d43d19679d14f705db034a97d7
  • 448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6
  • 3d49a2ca08b48838fde89d3f349e08de3b58f3f9ddcdd07c8dff7559b5f01cba
  • 3b283c67f597b926784d9cc07b6a4020f422dcbc1b669c67d993606e663dc5ea
  • 23e1cde0493f7444508d56fabd6883f476b790b262040a90ae00beb31b85279c
  • 0d730d64432a80f950c0685f451606fde5dc27f7a58dcfe978c4cd784a08b0ef
  • 0d1b0d35dbf72bd6518d663eb0d66a91683e94435d3659d310e202e8c169d73a
  • cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa
  • 9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed
  • 536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d
  • 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3
Download all indicators here!

Attack Patterns

  • XDigo
  • Silent Werewolf

Additional Informations

  • Aerospace
  • Energy
  • Manufacturing
  • Moldova, Republic of
  • Russian Federation