In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf group, also known as APT37, has been impersonating recruiters to target key employees in various organizations.
This espionage cluster uses fake job opportunities to lure victims into opening malicious attachments, which ultimately lead to system compromise and data theft.
The attack begins with a phishing email that appears to be a job offer from a legitimate company, often using recognizable logos to enhance credibility.
The email contains a password-protected ZIP archive named “Предложение о работе.zip,” which includes a malicious LNK file disguised as a PDF document.
Once opened, this LNK file executes a PowerShell command that decodes a Base64-encoded payload, leading to the creation of several files, including d.exe
, d.exe.config
, and DomainManager.dll
.
These files are placed in the system’s startup folder to ensure persistence.
The d.exe
file is a renamed version of the legitimate dfsvc.exe
, used to masquerade as a system utility.
The PowerShell command also triggers the execution of a .NET loader, which is obfuscated using Obfuscar.
This loader checks for internet connectivity and employs time-based evasion techniques to avoid detection in sandbox environments.
It further decrypts and executes payloads encrypted with AES128 CBC, either from a local file or downloaded from a remote server.
The loader modifies registry settings to disable autorun from the startup folder, ensuring stealthy operation.
mngs Attachement.pdf
According to the Report, To protect against such threats, organizations are advised to implement robust email protection solutions that can analyze and block suspicious attachments and links.
Advanced threat detection tools like Endpoint Detection and Response (EDR) systems are crucial for identifying and mitigating these sophisticated attacks.
BI.ZONE’s EDR offers specific detection rules for suspicious PowerShell activity and file creation in startup folders, which can help in early detection of Squid Werewolf’s tactics.
The Squid Werewolf group’s use of advanced obfuscation techniques and encryption highlights the evolving nature of cyber threats.
Staying informed about the latest tactics and tools used by threat actors is essential for maintaining effective cybersecurity strategies.
By leveraging threat intelligence and implementing comprehensive security measures, organizations can better safeguard their systems and data against these sophisticated phishing campaigns.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…