Cyber Security News

Squid Werewolf Mimics Recruiters to Target Job Seekers and Steal Personal Data

In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf group, also known as APT37, has been impersonating recruiters to target key employees in various organizations.

This espionage cluster uses fake job opportunities to lure victims into opening malicious attachments, which ultimately lead to system compromise and data theft.

Phishing Tactics and Techniques

The attack begins with a phishing email that appears to be a job offer from a legitimate company, often using recognizable logos to enhance credibility.

Squid Werewolf Squid Werewolf
Phishing email sent by the threat actor

The email contains a password-protected ZIP archive named “Предложение о работе.zip,” which includes a malicious LNK file disguised as a PDF document.

Once opened, this LNK file executes a PowerShell command that decodes a Base64-encoded payload, leading to the creation of several files, including d.exe, d.exe.config, and DomainManager.dll.

These files are placed in the system’s startup folder to ensure persistence.

The d.exe file is a renamed version of the legitimate dfsvc.exe, used to masquerade as a system utility.

The PowerShell command also triggers the execution of a .NET loader, which is obfuscated using Obfuscar.

This loader checks for internet connectivity and employs time-based evasion techniques to avoid detection in sandbox environments.

It further decrypts and executes payloads encrypted with AES128 CBC, either from a local file or downloaded from a remote server.

The loader modifies registry settings to disable autorun from the startup folder, ensuring stealthy operation.

Phishing document mngs Attachement.pdf

Mitigation and Detection

According to the Report, To protect against such threats, organizations are advised to implement robust email protection solutions that can analyze and block suspicious attachments and links.

Advanced threat detection tools like Endpoint Detection and Response (EDR) systems are crucial for identifying and mitigating these sophisticated attacks.

BI.ZONE’s EDR offers specific detection rules for suspicious PowerShell activity and file creation in startup folders, which can help in early detection of Squid Werewolf’s tactics.

The Squid Werewolf group’s use of advanced obfuscation techniques and encryption highlights the evolving nature of cyber threats.

Staying informed about the latest tactics and tools used by threat actors is essential for maintaining effective cybersecurity strategies.

By leveraging threat intelligence and implementing comprehensive security measures, organizations can better safeguard their systems and data against these sophisticated phishing campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

1 day ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

1 day ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

1 day ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

1 day ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

1 day ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago