{
	"id": "ab81373a-c4b9-49dc-b312-37048fab7bc0",
	"created_at": "2026-04-06T00:14:06.054573Z",
	"updated_at": "2026-04-10T13:12:20.586376Z",
	"deleted_at": null,
	"sha1_hash": "c9d3cb159192a761113884f585555498cf6ebd32",
	"title": "Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1884534,
	"plain_text": "Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation\r\nAttacks\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 16:38:36 UTC\r\nMorphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to\r\nhave geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear,\r\nrecent attack techniques suggest espionage and data exfiltration intent.  \r\nIntroduction\r\nSticky Werewolf is a cyber threat group first detected in April 2023; early activities primarily targeted public\r\norganizations in Russia and Belarus. The group’s operations have since extended to several sectors, targeting a\r\npharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and\r\nmore.  \r\nIn their most recent campaign, Sticky Werewolf have targeted the aviation industry with emails supposedly from\r\nthe First Deputy General Director of AO OKB Kristall (a Moscow-based company involved in the production and\r\nmaintenance of aircraft and spacecraft). In previous campaigns the group used phishing emails with links to\r\nmalicious files. This latest campaign used archive files containing LNK files pointing to a payload stored on\r\nWebDAV servers. \r\nInfection Chain \r\nIn previous campaigns, the infection chain began with phishing emails containing a link to download a malicious\r\nfile from platforms like gofile.io. However, in their latest campaign, the infection method has changed.  \r\nThe initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy\r\nfiles. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch\r\nscript, which then launches an AutoIt script that ultimately injects the final payload. \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 1 of 10\n\nTechnical Analysis\r\nPhishing Email\r\nThe phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB\r\nKristall, targets individuals in the aerospace and defense sector.  \r\nThe email invites recipients to a video conference on future cooperation, providing a password-protected archive\r\nthat containing a malicious payload, and aims to deceive recipients into opening the harmful attachment under the\r\nlure of a legitimate business invitation. \r\nEmail Attachment \r\nThe initial archive delivered in the phishing email contains three files designed to deceive the recipient into\r\nexecuting at least one of the malicious email’s contents.  \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 2 of 10\n\nThe archive includes: \r\nA Decoy PDF File: This file serves as a distraction, providing seemingly legitimate content to reduce\r\nsuspicion while the LNK files execute the malicious payload. \r\nTwo LNK Files Masquerading as DOCX Documents:\r\nПовестка совещания.docx.lnk (Meeting agenda): This file is intended to appear as a legitimate\r\ndocument outlining the meeting agenda. \r\nСписок рассылки.docx.lnk (Mailing list): This file is disguised as a document containing the\r\ndistribution list for the meeting. \r\nPDF\r\nThe PDF file, included as a decoy in the phishing archive, is an invitation to a video conference organized by AO\r\n“OKB Kristall” with key enterprises of the “Russian Helicopters” holding. The conference aims to discuss “Issues\r\nof prospective cooperation 2024-2025.” \r\nThe PDF also references the two malicious LNK files as attachments, increasing the likelihood of the recipient\r\nopening them. \r\nMeeting agenda (Повестка совещания.docx.lnk) \r\nMailing list (Список рассылки.docx.lnk) \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 3 of 10\n\nLNKs \r\nOnce the victim clicks the LNK files, the following actions will be triggered: \r\nFirst LNK – Повестка совещания.docx.lnk (Meeting agenda) \r\nExecutes the command which performs multiple actions: \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 4 of 10\n\n1. Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from a network\r\nshare (\\\\94.156.8[.]166\\Microsoft Office Word$\\WINWORD.exe) on login.\r\n \r\n2. Decoy Message: Displays a message in Russian indicating a document opening error, claiming the file is\r\ncorrupted.\r\n3. Copies image.jpg from another network share (\\\\79.132.128[.]47\\image.jpg) to the local root directory. The\r\nfile was unavailable at the time of research and is suspected to be used as a decoy. \r\nSecond LNK – Список рассылки.docx.lnk (Mailing List) \r\nExecutes the command \\\\document-cdn[.]org\\Microsoft Office Word$\\WINWORD.exe, which will launch the\r\nsame executable as in the first LNK file, this time with the domain name resolved by the above IP (at the time of\r\nwriting). \r\nCypherIT Loader / Crypter \r\nOnce the victim clicks the LNK file, the executable from the network share begins running. This executable is an\r\nNSIS self-extracting archive which is part of a previously known crypter named CypherIT.  \r\nThis crypter has been used for several years to deliver malicious payloads in various campaigns by multiple threat\r\nactors. While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as\r\nobserved in couple of hacking forums. \r\nThe NSIS archive extracts its files into the $INTERNET_CACHE directory, which corresponds\r\nto %LocalAppData%\\Microsoft\\Windows\\INetCache, and is typically used for Internet Explorer’s temporary\r\nfiles. After extraction, the installer runs one of the files, an obfuscated batch script. \r\nBatch Script \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 5 of 10\n\nThis batch script performs several operations: \r\nDelay Execution: If wrsa.exe or opssvc.exe processes are running, the script delays execution by\r\nrunning ping -n 193 127.0.0.1. \r\nChange Filenames: If any of the following processes are\r\npresent: avastui.exe, avgui.exe, nswscsvc.exe, sophoshealth.exe, the script changes the filenames for the\r\nnext stage AutoIt executable and script file extension. \r\nFile Concatenation: Concatenates multiple files into two files:\r\nA legitimate AutoIt executable. \r\nA compiled AutoIt script. \r\nExecute AutoIt: Runs the AutoIt executable, passing the compiled script as an argument. \r\nProcess Name  Vendor \r\navastui.exe  AVG Antivirus \r\navgui.exe  AVG Antivirus \r\nnswscsvc.exe  Norton Security \r\nopssvc.exe | sophoshealth.exe  Sophos Endpoint Protection \r\nwrsa.exe  Webroot \r\nTable: Processes monitored by the Batch script and their corresponding security vendors. \r\nAutoIT Script \r\nThe executed AutoIT script has various capabilities such as anti-analysis, anti-emulation, persistence, and\r\nunhooking. Its main goal is to inject the payload and establish persistence while evading security solutions and\r\nanalysis attempts. \r\nAnti-Analysis and Anti-Emulation \r\nThe script checks for artifacts or signs belonging to security vendors’ emulators and environments: \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 6 of 10\n\nArtifact-Type  Value  Vendor \r\nComputer Name  tz  BitDefender Emulator \r\nComputer Name  NfZtFbPfH  Kaspersky Emulator \r\nComputer Name  ELICZ  AVG Emulator \r\nUsername  test22   \r\nProcess name  avastui.exe  AVG Antivirus \r\nFile Name  C:\\aaa_TouchMeNot_.txt  Windows Defender Emulator \r\nProcess Name  bdagent.exe  Bitdefender \r\nProcess Name  avp.exe  Kaspersky \r\nThe script then overrides ntdll.dll by mapping a clean copy from the disk and replacing the .text section of the\r\none loaded — a known technique to remove hooking. \r\nPersistence \r\nPersistence is established via a scheduled task or the startup directory. \r\nDecryption and Injection \r\nBefore injecting the payload, it decrypts it using two shellcodes that perform RC4 decryption. \r\n1. The first shellcode performs the key scheduling algorithm using the provided passphrase. \r\n2. The second shellcode implements the PRGA of the RC4 stream cipher. \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 7 of 10\n\nThe decrypted bytes are decompressed\r\nusing RtlDecompressFragment with COMPRESSION_FORMAT_LZNT1. The final payload is then injected\r\nusing a process hollowing into a legitimate AutoIT process. \r\nConclusion \r\nThe injected payloads typically include commodity RATs or stealers. Recently, Sticky Werewolf has utilized\r\nRhadamanthys Stealer and Ozone RAT in their campaigns. Previously, the group deployed MetaStealer,\r\nDarkTrack, NetWire, among others. These malwares facilitate extensive espionage and data exfiltration. \r\nWhile there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the\r\ngeopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this\r\nattribution remains uncertain. \r\nHow Morphisec Helps \r\nMorphisec’s Automated Moving Target Defense (AMTD) effectively stops attacks, which typically include\r\ncommodity RATs or stealers, (like those used by the Sticky Werewolf group) at various stages of the attack\r\nchain.  \r\nMorphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its patented AMTD technology to\r\nprevent the attack at its earliest stages, preemptively blocking attacks on memory and applications, and effectively\r\nremediating the need for response.  \r\nSchedule a demo today to see how Morphisec stops Sticky Werewolf and other new emerging threats.   \r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 8 of 10\n\nIOCs \r\nEXE \r\n05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9 \r\n03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105 \r\n1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4 \r\nLNK \r\nc3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0 \r\nce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a \r\nDecoy \r\n9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41 \r\n217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab \r\n3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040 \r\nd6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957 \r\nd973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be \r\nC2 \r\n79.132.128[.]47 \r\n94.156.8[.]166 \r\ndocument-cdn[.]org \r\n94.156.8[.]211 \r\nAbout the author\r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 9 of 10\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nhttps://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/"
	],
	"report_names": [
		"sticky-werewolfs-aviation-attacks"
	],
	"threat_actors": [
		{
			"id": "ce6c9df9-bf82-4e6c-b355-9285463a37c8",
			"created_at": "2025-03-07T02:00:03.792481Z",
			"updated_at": "2026-04-10T02:00:03.818734Z",
			"deleted_at": null,
			"main_name": "Angry Likho",
			"aliases": [
				"Sticky Werewolf"
			],
			"source_name": "MISPGALAXY:Angry Likho",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434446,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9d3cb159192a761113884f585555498cf6ebd32.pdf",
		"text": "https://archive.orkl.eu/c9d3cb159192a761113884f585555498cf6ebd32.txt",
		"img": "https://archive.orkl.eu/c9d3cb159192a761113884f585555498cf6ebd32.jpg"
	}
}