{ "id": "0823bf1d-df50-47e0-89ef-0f14ad5cd5bf", "created_at": "2026-04-06T00:17:52.793318Z", "updated_at": "2026-04-10T03:35:36.878999Z", "deleted_at": null, "sha1_hash": "cab74e737c8cd7664a3b53640b6d99e090693553", "title": "Core Werewolf targets the defense industry and critical infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3113983, "plain_text": "Core Werewolf targets the defense industry and critical\r\ninfrastructure\r\nPublished: 2026-03-12 · Archived: 2026-04-05 12:52:34 UTC\r\nThe file used in the first attack that we uncovered was uploaded to VirusTotal on August 6, 2021. Curiously\r\nenough, the malicious files were always disguised as Microsoft Word or PDF documents, even though these were\r\nexecutables in self-extracting archives. For example, Прил._7_критерии_оценки_...ГУВП.docx.exe\r\n(Appendix 7. Assessment criteria). Hence, the content of the documents did not raise any concern with the user.\r\nHowever, opening the file triggered the background installation of UltraVNC. This enabled the attackers to gain\r\ncomplete control over compromised devices.\r\nThe file discovered first contained an order of a defense organization (fig. 1).\r\nFig. 1. Excerpt of the document used by the attackers\r\nThe file detected next was posted on December 16, 2021. The phishing document included an internal order\r\nby one of the largest joint-stock companies in Russia (fig. 2).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 1 of 17\n\nFig. 2. Excerpt of the document used by the attackers\r\nIt had been a while before another attack followed. The file was spotted on April 12, 2022 and contained a resume\r\n(fig. 3).\r\nFig. 3. Excerpt of the document used by the attackers\r\nThe file from the next attack was uploaded on April 18, 2022 and targeted the employees of some defense\r\norganizations (fig. 4).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 2 of 17\n\nFig. 4. Excerpt of the document used by the attackers\r\nAnother file was posted on April 27, 2022 and was dedicated to the military discharge (fig. 5).\r\nFig. 5. Excerpt of the document used by the attackers\r\nIn their new attack, with the respective file uploaded on May 8, 2022, the criminals again attached an order\r\nof a defense organization (fig. 6).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 3 of 17\n\nFig. 6. Excerpt of the document used by the attackers\r\nOn May 12, 2022, a new file was published on VirusTotal. This time, the attackers sent methodological\r\nrecommendations of another defense organization (fig. 7).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 4 of 17\n\nFig. 7. Excerpt of the document used by the attackers\r\nThe file uploaded on May 27, 2022 again contained an order (fig. 8).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 5 of 17\n\nFig. 8. Excerpt of the document used by the attackers\r\nThe summer attacks started with a file posted on June 13, 2022. Disguised as a decree of the Government\r\nof the Russian Federation, the document amended the state regulation of prices for products supplied under\r\nthe state defense order (fig. 9).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 6 of 17\n\nFig. 9. Excerpt of the document used by the attackers\r\nThe next attack, with the file uploaded on June 28, 2022, used some guidelines to victimize the users (fig. 10).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 7 of 17\n\nFig. 10. Excerpt of the document\r\nused by the attackers\r\nJuly was marked by an attack that leveraged a document issued by the Department of the Federal Service for\r\nTechnical and Export Control (FSTEK) of Russia for the Northwestern Federal District. It described the measures\r\nto reinforce the protection of information infrastructure facilities in Russia.\r\nThe file published on VirusTotal on July 20, 2022 contained another administrative document related\r\nto the defense sector.\r\nThe file uploaded on July 27, 2022 came as a resume, yet of a different person (fig. 11).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 8 of 17\n\nFig. 11. Excerpt of the document used by the attackers\r\nIn August, the criminals once again used an order as a phishing document (fig. 12).\r\nFig. 12. Excerpt of the document used by the attackers\r\nIn September, the attackers went even further and, instead of some regular order, attached a document marked\r\n“For official use only.”\r\nThe October attack featured yet another decree of the Government of the Russian Federation. The document\r\nintroduced amendments to the national program on the development of the nuclear power industry (fig. 13).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 9 of 17\n\nFig. 13. Excerpt of the document used by the attackers\r\nThe first attack held in November (the malicious file was uploaded on November 2) used a cold supply diagram\r\nfor a special-purpose high-performance computing complex.\r\nOn the following day, a new file was posted, this time containing a set of diagrams.\r\nThe next attack in November employed the group’s favored type of document, that is, related to defense industry\r\noperations (fig. 14).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 10 of 17\n\nFig. 14. Excerpt of the document used by the attackers\r\nThe December attack was once again focused on the defense sector employees (fig. 15).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 11 of 17\n\nFig. 15.\r\nExcerpt of the document used by the attackers\r\nThe first attack in 2023 used a request form as a phishing document (fig. 16).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 12 of 17\n\nFig. 16. Excerpt of the document used by the attackers\r\nThe next attack took place in January. The phishing document provided the methodological recommendations\r\non the exemption from active service of Russian citizens being in the military reserves of the Russian Federation\r\nand working in certain organizations, for the period of mobilization and wartime (fig. 17).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 13 of 17\n\nFig. 17. Excerpt of the document used by the attackers\r\nIn February 2023, the attackers got back to sending resumes as phishing documents (fig. 18).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 14 of 17\n\nFig. 18. Excerpt of the document used by the attackers\r\nIn March 2023, Core Werewolf once again attached a copy of a document meant for official use only.\r\nOn March 20, 2023, one more file was uploaded to VirusTotal with the phishing document targeting defense\r\nindustry personnel.\r\nApril 2023 saw the group’s repeated attempt to use a resume for phishing purposes (fig. 19).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 15 of 17\n\nFig. 19. Excerpt of the document used by the attackers\r\nThe attack that occurred in May featured yet another order (fig. 20).\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 16 of 17\n\nFig. 20. Excerpt of the document used by the attackers\r\nIn each of the campaigns, the devices were compromised in a similar way. Therefore, the adversary tactics,\r\ntechniques, and procedures listed in the section below apply to all of the attacks.\r\nSource: https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nhttps://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/\r\nPage 17 of 17\n\n https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/ \nFig. 7. Excerpt of the document used by the attackers \nThe file uploaded on May 27, 2022 again contained an order (fig. 8).\n Page 5 of 17\n\nFig. 9. Excerpt of the document https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/ used by the attackers \nThe next attack, with the file uploaded on June 28, 2022, used some guidelines to victimize the users (fig. 10).\n Page 7 of 17 \n\nThe file published to the defense on VirusTotal sector. on July 20, 2022 contained another administrative document related\nThe file uploaded on July 27, 2022 came as a resume, yet of a different person (fig. 11).\n Page 8 of 17 \n\n https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/ \nFig. 18. Excerpt of the document used by the attackers \nIn March 2023, Core Werewolf once again attached a copy of a document meant for official use only.\nOn March 20, 2023, one more file was uploaded to VirusTotal with the phishing document targeting defense\nindustry personnel. \nApril 2023 saw the group’s repeated attempt to use a resume for phishing purposes (fig. 19).\n Page 15 of 17 \n\n https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/ \nFig. 19. Excerpt of the document used by the attackers \nThe attack that occurred in May featured yet another order (fig. 20).\n Page 16 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/" ], "report_names": [ "core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury" ], "threat_actors": [ { "id": "d18b9735-1af7-433c-a582-a01886bc5e3f", "created_at": "2024-10-25T02:02:07.582653Z", "updated_at": "2026-04-10T02:00:04.569471Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "ETDA:Awaken Likho", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4", "created_at": "2024-10-08T02:00:04.462582Z", "updated_at": "2026-04-10T02:00:03.722048Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "MISPGALAXY:Awaken Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434672, "ts_updated_at": 1775792136, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cab74e737c8cd7664a3b53640b6d99e090693553.pdf", "text": "https://archive.orkl.eu/cab74e737c8cd7664a3b53640b6d99e090693553.txt", "img": "https://archive.orkl.eu/cab74e737c8cd7664a3b53640b6d99e090693553.jpg" } }