{
	"id": "65b0f0d0-5758-4ad9-a9b3-c7f5b540064c",
	"created_at": "2026-04-06T00:17:55.889874Z",
	"updated_at": "2026-04-10T03:35:36.882596Z",
	"deleted_at": null,
	"sha1_hash": "9a56d510acc14899f0c5095852825f400b3c35d3",
	"title": "Core Werewolf hones its arsenal against Russia's government organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 744825,
	"plain_text": "Core Werewolf hones its arsenal against Russia's government\r\norganizations\r\nPublished: 2026-03-12 · Archived: 2026-04-05 13:49:35 UTC\r\n'=\"\"\u003e\r\nAdversaries experiment with new tools and malware delivery methods\r\nBI.ZONE Threat Intelligence continues to monitor the Core Werewolf cluster that has been attacking Russia’s\r\ndefense industry and critical infrastructure since 2021. In its latest campaigns, the threat actor turned to a new\r\nloader written in AutoIt and started delivering malicious files via Telegram (in addition to email).\r\nKey findings\r\nAdversaries extensively experiment with malware delivery methods, opting for instant messengers to target\r\ntheir victims with greater precision.\r\nThreat actors upgrade or review their arsenal to replace the tools that are becoming easier to detect.\r\nAutoIt remains a popular scripting language which allows attackers to develop their own malware.\r\nCampaign\r\nCore Werewolf uses RAR archives to deliver SFX executables created with 7‑Zip. In some cases, the archives\r\nare protected with a password (e.g., 111 ).\r\nThe SFX contains:\r\nan obfuscated malicious AutoIt script\r\na legitimate executable of the AutoIt interpreter (v. 3.3.16.1)\r\na PDF document\r\nExample of 7zSFX content\r\nBy running the SFX file, the user extracts its content into the  %TEMP% directory and launches the malicious script\r\nusing the AutoIt interpreter.\r\nThe script is a loader meant to initiate the next stage.\r\nThe loader has the following capabilities:\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 1 of 8\n\nretrieves information about the compromised system: computer name, username, OS version, files\r\nand directories in the  Desktop folder\r\ncreates a file %TEMP%\\\u003ccomputer name\u003e_\u003cusername\u003e.txt (e.g., %TEMP%\\DESKTOP-ET51AJO_Bruno.txt )\r\nrenames the decoy file and moves it to the  %USERPROFILE%\\Downloads folder\r\nopens the decoy file\r\nwrites the list of files and directories in the  Desktop folder into %TEMP%\\\u003ccomputer\r\nnаme\u003e_\u003cusername\u003e.txt\r\nreads the content of  %TEMP%\\\u003ccomputer name\u003e_\u003cusername\u003e.txt for subsequent exfiltration to the C2 server\r\nforms HTTP POST request headers to transfer information about the compromised system\r\nsends a POST request to  hxxp://\u003cdomain\u003e/upload/\u003ccomputer name\u003e_\u003cusername\u003e\r\nExample of transferred data\r\ndownloads the text file from the C2 server via the link hxxp://\u003cdomain\u003e/\u003ccomputer name\u003e_\u003cusername\u003e/[0-\r\n9]{16}.txt (e.g., hxxp://1tutor[.]ru/DESKTOP-ET51AJO_Bruno/9733698215789059.txt ). Notably,\r\nthe downloaded text file is stored in the  %TEMP% folder under a different name; for instance,\r\n5773395227936203.txt . If a text file with this name already exists, the download process is aborted\r\nreads the downloaded text file. If its content is equal to 1, the flag parameter for downloading the next\r\nstage AutoIt script is set to 1 and the downloaded text file gets deleted. Otherwise, nothing happens, and\r\nthe AutoIt loader infinitely tries to receive the required text file from the C2 server\r\nchecks the value of the flag parameter for downloading the next stage AutoIt script. If the value is equal\r\nto integer 1, then the next stage AutoIt script is downloaded from the C2 server via the link\r\nhxxp://\u003cdomain\u003e/\u003ccomputer name\u003e_\u003cusername\u003e/[0-9]{16}.au3 (e.g., hxxp://1tutor[.]ru/DESKTOP-ET51AJO_Bruno/9733698215789059.au3 ). Once the next stage AutoIt script is successfully downloaded,\r\nit is executed using the AutoIt interpreter. After that, the AutoIt loader deletes the downloaded next stage\r\nAutoIt script together with the file %TEMP%\\\u003ccomputer name\u003e_\u003cusername\u003e.txt containing the list of files\r\nand directories of the  Desktop folder. Accordingly, if such a next stage AutoIt script already exists,\r\nit is not downloaded and run again.\r\nSimilarly to previous Core Werewolf campaigns, the names of employed decoy files reflect their content. As seen\r\nin the example below, the content of the file\r\nПлан_работы_по_вопросам_эффективности_применения_огневого_поражения_РВиА__.pdf (work plan\r\non improving the use of firearms) matches its name:\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 2 of 8\n\nExtract from the decoy document\r\nIndicators of compromise\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 3 of 8\n\nRAR archive\r\nMD5: 36f96f199cf97ee8cbdd0271bd6598ca\r\nSHA-1: 2c2660577d4f853935a64c47cf8967a74e32d0f8\r\nSHA-256: 703835c57b8985141ef3ef652e2593935a47bd9779d08963c5eb973b8b82d08a\r\nRAR archive (password:  111 )\r\nMD5: 9a454c6e336ac65df9a0330db086565f\r\nSHA-1: 2f835234ff7b497944220a72315c1b80d2474fa5\r\nSHA-256: 19ff0ce570aabefcab0eed08afdaffd16c5516d91962e099498ecaf97f394766\r\nРазведывательная_информация_по_состоянию_на_2024_09_23_на_доклад_для_нач_штабов.exe\r\nMD5: 20e4539a0c14c63afa24744b3767f103\r\nSHA-1: 2fcc26ba22a592f7cd1dc81c212e79795fc05f76\r\nSHA-256: d42942acee6154609c1c5f61bb0fb863c4598dd82e6d28af58c9dfbee71c4521\r\nПлан_работы______по_вопросам____эффективности_применения_огневого_поражения_РВиА.exe\r\nMD5: 88849c55911c4b1866fb7099f9c54407\r\nSHA-1: 01bea2e4ff7bba835d88714ec4fde8d97a250639\r\nSHA-256: b09807247282baaddb32ffe114b046325dd648a4c298f3b5c9addaa635b0520c\r\nПлан_работы_по_вопросам_эффективности_применения_огневого_поражения_РВиА__.exe\r\nMD5: e058d942a6dadfb09bd652ce1e1b2518\r\nSHA-1: bcef3e23516e7df558b07da2edee8c47398a2472\r\nSHA-256: 114de7d5e7dd6088f68705d519fc35530433506965ec5288e9dfb005bfec73c8\r\nПлан_и_расписание__работы_комиссии_довести_командирам_частей_и_НШ.exe\r\nMD5: 9c0933a8a4fcb108dae9ee4cf9f7645b\r\nSHA-1: 7d53b53514fd54af5e547c02eb8163dbd25f79ca\r\nSHA-256: 6a3584f8e6b5f8e2fb5826aa0f042bf30b06e7467f022499a71273e15daaa216\r\nMalicious obfuscated AutoIt script (downloader):\r\n1409008805926544.au3\r\nMD5: 6a495d68c106da8e9e4ec4bab72969c7\r\nSHA-1: 871a675d43758907d02d5b7e57d8a96f70dd3b27\r\nSHA-256: a049cc364151ddfb3b87c11050a9b027ec4a1687ae4415b8d07afa4bc7aeaced\r\n6999704557038434.au3\r\nMD5: 2c77773840821a49d71ac7c9e31258f9\r\nSHA-1: 35da880d75ab18f132dfed65adf545e079a99f55\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 4 of 8\n\nSHA-256: 2b62b9481c0bcdf46a24a792f44e152ea5b7c5143cb06af9d82ff8c2c8433551\r\n8090622255964677.au3\r\nMD5: a3bd5a90c900bd78b015804c2e2159c6\r\nSHA-1: 80ef6745cd0412ab587def958f6425de2b144935\r\nSHA-256: 731b4673f28da5d8b48f016a478be4e1ffea247d5b44a6612c506110b8fdd97c\r\n8954304834437030.au3\r\nMD5: 13dbc816bca4f7668452fd8d28bb95e1\r\nSHA-1: 5eba332d8372d94d17e87b6c8234b2cad052bb17\r\nSHA-256: 3cfc1ecd00d52349c0b1ac0692774b31a97342330ef664b546fa3b8aa1d3a6c2\r\nLegitimate AutoIt interpreter:\r\n9481940632028706.exe , 3823822393935372.exe , 0554702337892303.exe , 6394810657788120.exe\r\nMD5: 0adb9b817f1df7807576c2d7068dd931\r\nSHA-1: 4a1b94a9a5113106f40cd8ea724703734d15f118\r\nSHA-256: 4f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b\r\nPDF decoys:\r\nZf26q26l16s86L56i9.fD37p97U07G77t07B9\r\nMD5: f3b95a48f3415e8909b979f9219a68b4\r\nSHA-1: 4f47703cdc419e2942ff2697b7ee40a4d703956f\r\nSHA-256: eecfa15d69a6322fac39e945d68664a037e48a60644a76acd8b49490e6c93c06\r\ngT13b43C53J83b93F9.My36b26K06h16o46G8\r\nMD5: 22a0ffa0c20131cd10fe074dbbcdd262\r\nSHA-1: 2ba32d676b04da49276527d4b428c36b2cb61b81\r\nSHA-256: 75cd7ef3e87d59f32939832e3b5eeb586d0fc1467721a30b64132bc5f833697f\r\nlD06w16k16e26m36j5.qG74F64k84I94V24Q9\r\nMD5: 770c3ea782ea6d4430b64e24ebce8ca8\r\nSHA-1: 21b551deb21e6218741e424086b1eaad0064fe65\r\nSHA-256: 00ec82306c9df4aee9dda42933ed55afa9e53ed74c2018bc0ce43d87edad2f98\r\nGL11H01e11a71b41M1.nc64b64m74X24a84O3\r\nMD5: 6834ec008b5dc8980a1c7a3e13a1a8ea\r\nSHA-1: a2146ccfffbabed1501e8ad00fada778e3817f94\r\nSHA-256: a8ea0f64e7e08d59b45068c1ff4eda4d7fd9d92148cd3d4c664da9c18aaf1f32\r\ndsksb[.]ru\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 5 of 8\n\n1tutor[.]ru\r\nconversesuisse[.]net\r\ncntula[.]ru\r\n188.127.240[.]131\r\n80.85.155[.]134\r\n178.20.46[.]163\r\n31.192.107[.]165\r\nMITRE ATT\u0026CK\r\nTactic Technique Procedure\r\nExecution\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nCore Werewolf uses cmd.exe to open\r\na decoy document and run the AutoIt\r\ninterpreter with the AutoIt script\r\nCommand and Scripting\r\nInterpreter: AutoHotKey \u0026 AutoIT\r\nCore Werewolf uses the AutoIt loader\r\nto download and execute the next stage\r\nAutoIt script\r\nDefense Evasion Indicator Removal: File Deletion\r\nCore Werewolf deletes the files created\r\nand downloaded during the AutoIt loader’s\r\nexecution\r\nMasquerading\r\nCore Werewolf uses names similar\r\nto the document titles in the self‑extracting\r\narchives.\r\nCore Werewolf uses the Adobe Acrobat\r\nReader icon in the self‑extracting archives\r\nObfuscated Files or Information\r\nCore Werewolf obfuscates the AutoIt\r\nloader's code\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 6 of 8\n\nTactic Technique Procedure\r\nDiscovery File and Directory Discovery\r\nCore Werewolf retrieves the list of files\r\nand folders in the  Desktop directory\r\nSystem Information Discovery\r\nCore Werewolf retrieves the computer name\r\nand OS version\r\nSystem Owner/User Discovery\r\nCore Werewolf retrieves the username\r\nof the compromised system\r\nCommand and Control\r\nApplication Layer Protocol: Web\r\nProtocols\r\nCore Werewolf uses HTTP to communicate\r\nwith the C2 server.\r\nCore Werewolf employs a POST request\r\nto send the compromised host’s telemetry\r\nto the C2 server\r\nIngress Tool Transfer\r\nCore Werewolf uses the AutoIt loader\r\nto download the next stage AutoIt script\r\nand run it\r\nDetection\r\nThe BI.ZONE EDR rules below can help organizations detect the described malicious activity:\r\nwin_th_run_autolt_from_temp\r\nwin_discovery_owner_and_users_system\r\nwin_discovery_system_information\r\nwin_access_to_ti_observed_host_from_nonbrowsers\r\nwin_execution_of_ti_observed_file\r\nHow to protect your company from such threats\r\nUnderstanding current attack methods and tools is important for mapping out the cyber threat landscape. For this\r\npurpose, we recommend BI.ZONE Threat Intelligence, a dedicated portal that contains the most up-to-date\r\ninformation about attack campaigns against specific infrastructures. The solution provides information about\r\nattack trends, threat actors, and their modus operandi. This data helps to ensure the effective operation of security\r\nsolutions, accelerate incident response, and protect the company from the most critical threats.\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 7 of 8\n\nHow useful was this material?\r\nYou might find interesting\r\nSign up for the newsletter\r\nWe collect cookies to enable the proper functioning of our website and to enhance your experience. You can\r\nmanage your cookie preferences in your browser settings\r\nSource: https://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nhttps://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/"
	],
	"report_names": [
		"ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii"
	],
	"threat_actors": [
		{
			"id": "d18b9735-1af7-433c-a582-a01886bc5e3f",
			"created_at": "2024-10-25T02:02:07.582653Z",
			"updated_at": "2026-04-10T02:00:04.569471Z",
			"deleted_at": null,
			"main_name": "Awaken Likho",
			"aliases": [
				"Core Werewolf"
			],
			"source_name": "ETDA:Awaken Likho",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4",
			"created_at": "2024-10-08T02:00:04.462582Z",
			"updated_at": "2026-04-10T02:00:03.722048Z",
			"deleted_at": null,
			"main_name": "Awaken Likho",
			"aliases": [
				"Core Werewolf"
			],
			"source_name": "MISPGALAXY:Awaken Likho",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434675,
	"ts_updated_at": 1775792136,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a56d510acc14899f0c5095852825f400b3c35d3.pdf",
		"text": "https://archive.orkl.eu/9a56d510acc14899f0c5095852825f400b3c35d3.txt",
		"img": "https://archive.orkl.eu/9a56d510acc14899f0c5095852825f400b3c35d3.jpg"
	}
}