Cyber Security News

Squid Werewolf Mimics Recruiters to Target Job Seekers and Steal Personal Data

In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf group, also known as APT37, has been impersonating recruiters to target key employees in various organizations.

This espionage cluster uses fake job opportunities to lure victims into opening malicious attachments, which ultimately lead to system compromise and data theft.

Phishing Tactics and Techniques

The attack begins with a phishing email that appears to be a job offer from a legitimate company, often using recognizable logos to enhance credibility.

Squid Werewolf Squid Werewolf
Phishing email sent by the threat actor

The email contains a password-protected ZIP archive named “Предложение о работе.zip,” which includes a malicious LNK file disguised as a PDF document.

Once opened, this LNK file executes a PowerShell command that decodes a Base64-encoded payload, leading to the creation of several files, including d.exe, d.exe.config, and DomainManager.dll.

These files are placed in the system’s startup folder to ensure persistence.

The d.exe file is a renamed version of the legitimate dfsvc.exe, used to masquerade as a system utility.

The PowerShell command also triggers the execution of a .NET loader, which is obfuscated using Obfuscar.

This loader checks for internet connectivity and employs time-based evasion techniques to avoid detection in sandbox environments.

It further decrypts and executes payloads encrypted with AES128 CBC, either from a local file or downloaded from a remote server.

The loader modifies registry settings to disable autorun from the startup folder, ensuring stealthy operation.

Phishing document mngs Attachement.pdf

Mitigation and Detection

According to the Report, To protect against such threats, organizations are advised to implement robust email protection solutions that can analyze and block suspicious attachments and links.

Advanced threat detection tools like Endpoint Detection and Response (EDR) systems are crucial for identifying and mitigating these sophisticated attacks.

BI.ZONE’s EDR offers specific detection rules for suspicious PowerShell activity and file creation in startup folders, which can help in early detection of Squid Werewolf’s tactics.

The Squid Werewolf group’s use of advanced obfuscation techniques and encryption highlights the evolving nature of cyber threats.

Staying informed about the latest tactics and tools used by threat actors is essential for maintaining effective cybersecurity strategies.

By leveraging threat intelligence and implementing comprehensive security measures, organizations can better safeguard their systems and data against these sophisticated phishing campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

4 minutes ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

17 minutes ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

46 minutes ago

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical infrastructure…

55 minutes ago

Russian Company Gains Full Control Over Critical Open Source Easyjson Library

A startling discovery by Hunted Labs has brought to light a potential security risk lurking…

1 hour ago

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025, ByBit…

2 hours ago