{"id":1663,"date":"2025-06-11T09:08:11","date_gmt":"2025-06-11T09:08:11","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=1663"},"modified":"2025-06-11T09:08:11","modified_gmt":"2025-06-11T09:08:11","slug":"rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/","title":{"rendered":"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises"},"content":{"rendered":"<p>The threat actor known as\u00a0<strong>Rare Werewolf<\/strong>\u00a0(formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries.<\/p>\n<p>&#8220;A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,&#8221; Kaspersky\u00a0<a href=\"https:\/\/securelist.com\/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto\/116536\/\" target=\"_blank\" rel=\"noopener\">said<\/a>. &#8220;The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts.&#8221;<\/p>\n<p>The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan.<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2025\/02\/thn-weekly-recap-top-cybersecurity_10.html#:~:text=Rare%20Wolf%20Goes%20After%20Russia\" target=\"_blank\" rel=\"noopener\">Rare Werewolf<\/a>, also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a\u00a0<a href=\"https:\/\/ics-cert.kaspersky.com\/publications\/reports\/2024\/12\/26\/apt-and-financial-attackson-industrial-organizationsin-q3-2024\/\" target=\"_blank\" rel=\"noopener\">track record<\/a>\u00a0of striking organizations in Russia and Ukraine. It&#8217;s believed to be active at least since 2019.<\/p>\n<p>According to BI.ZONE, the threat actor\u00a0<a href=\"https:\/\/bi.zone\/eng\/expertise\/blog\/rare-wolf-okhotitsya-za-privatnymi-dannymi-s-pomoshchyu-falshivykh-nakladnykh-1s-predpriyatie\/\" target=\"_blank\" rel=\"noopener\">obtains<\/a>\u00a0initial access using phishing emails, leveraging the foothold to steal documents, Telegram messenger data, and drop tools like\u00a0<a href=\"https:\/\/www.mipko.ru\/employee-monitor\/\" target=\"_blank\" rel=\"noopener\">Mipko Employee Monitor<\/a>,\u00a0<a href=\"https:\/\/www.nirsoft.net\/utils\/web_browser_password.html\" target=\"_blank\" rel=\"noopener\">WebBrowserPassView<\/a>, and Defender Control to interact with the infected system, harvest passwords, and disable antivirus software.<\/p>\n<p>The latest set of attacks documented by Kaspersky reveals the use of phishing emails as a malware delivery vehicle, using password-protected archives containing executable files as a starting point to activate the infection.<\/p>\n<p>Present within the archive is an installer that&#8217;s used to deploy a legitimate tool called 4t Tray Minimizer, as well as other payloads, including a decoy PDF document that mimics a payment order.<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2025\/06\/rare-werewolf-apt-uses-legitimate.html\">Read the Full Story Here<\/a><\/p>\n<p>Source: The Hacker News<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The threat actor known as\u00a0Rare Werewolf\u00a0(formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. &#8220;A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,&#8221; Kaspersky\u00a0said. &#8220;The malicious functionality of the campaign [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1334,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises - Community\" \/>\n<meta property=\"og:description\" content=\"The threat actor known as\u00a0Rare Werewolf\u00a0(formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. &#8220;A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,&#8221; Kaspersky\u00a0said. &#8220;The malicious functionality of the campaign [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-11T09:08:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/\",\"name\":\"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg\",\"datePublished\":\"2025-06-11T09:08:11+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#primaryimage\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg\",\"contentUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg\",\"width\":1280,\"height\":853},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/","og_locale":"en_US","og_type":"article","og_title":"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises - Community","og_description":"The threat actor known as\u00a0Rare Werewolf\u00a0(formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. &#8220;A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,&#8221; Kaspersky\u00a0said. &#8220;The malicious functionality of the campaign [&hellip;]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2025-06-11T09:08:11+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg","type":"image\/jpeg"}],"author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/","name":"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#primaryimage"},"image":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#primaryimage"},"thumbnailUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg","datePublished":"2025-06-11T09:08:11+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#primaryimage","url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg","contentUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2024\/08\/pexels-harold-vasquez-853421-2653362.jpg","width":1280,"height":853},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/rare-werewolf-apt-uses-legitimate-software-in-attacks-on-hundreds-of-russian-enterprises\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=1663"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1663\/revisions"}],"predecessor-version":[{"id":1664,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1663\/revisions\/1664"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media\/1334"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=1663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=1663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=1663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}