Cyber Security News

Squid Werewolf Mimics Recruiters to Target Job Seekers and Steal Personal Data

In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf group, also known as APT37, has been impersonating recruiters to target key employees in various organizations.

This espionage cluster uses fake job opportunities to lure victims into opening malicious attachments, which ultimately lead to system compromise and data theft.

Phishing Tactics and Techniques

The attack begins with a phishing email that appears to be a job offer from a legitimate company, often using recognizable logos to enhance credibility.

Phishing email sent by the threat actor

The email contains a password-protected ZIP archive named “Предложение о работе.zip,” which includes a malicious LNK file disguised as a PDF document.

Once opened, this LNK file executes a PowerShell command that decodes a Base64-encoded payload, leading to the creation of several files, including d.exe, d.exe.config, and DomainManager.dll.

These files are placed in the system’s startup folder to ensure persistence.

The d.exe file is a renamed version of the legitimate dfsvc.exe, used to masquerade as a system utility.

The PowerShell command also triggers the execution of a .NET loader, which is obfuscated using Obfuscar.

This loader checks for internet connectivity and employs time-based evasion techniques to avoid detection in sandbox environments.

It further decrypts and executes payloads encrypted with AES128 CBC, either from a local file or downloaded from a remote server.

The loader modifies registry settings to disable autorun from the startup folder, ensuring stealthy operation.

Phishing document mngs Attachement.pdf

Mitigation and Detection

According to the Report, To protect against such threats, organizations are advised to implement robust email protection solutions that can analyze and block suspicious attachments and links.

Advanced threat detection tools like Endpoint Detection and Response (EDR) systems are crucial for identifying and mitigating these sophisticated attacks.

BI.ZONE’s EDR offers specific detection rules for suspicious PowerShell activity and file creation in startup folders, which can help in early detection of Squid Werewolf’s tactics.

The Squid Werewolf group’s use of advanced obfuscation techniques and encryption highlights the evolving nature of cyber threats.

Staying informed about the latest tactics and tools used by threat actors is essential for maintaining effective cybersecurity strategies.

By leveraging threat intelligence and implementing comprehensive security measures, organizations can better safeguard their systems and data against these sophisticated phishing campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices, particularly…

54 seconds ago

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large language…

19 minutes ago

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and…

22 minutes ago

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as…

4 hours ago

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd)…

4 hours ago

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple…

4 hours ago