Cybersecurity researchers at FACCT have uncovered a sophisticated phishing campaign targeting defense and industrial enterprises. The operation, attributed to the advanced persistent threat (APT) group Sticky Werewolf (also known as PhaseShifters), demonstrates an evolution in tactics by impersonating government officials to compromise critical infrastructure targets.
Sophisticated Social Engineering Tactics Revealed
On January 13, 2025, security analysts intercepted malicious communications masquerading as official correspondence from the Ministry of Industry and Trade. The threat actors crafted elaborate messages concerning defense industry procurement processes, though several operational security failures in their social engineering approach ultimately exposed the campaign. These included inconsistencies in ministerial positions and conflicting dates across different versions of the phishing messages.
Technical Analysis of the Malware Infrastructure
The attack vector utilized a password-protected RAR archive containing a weaponized executable disguised as a PDF document. Upon execution, the malware deploys Ozone RAT (Remote Access Trojan), establishing persistent backdoor access to compromised systems. This sophisticated malware enables threat actors to maintain long-term unauthorized access while evading traditional security controls.
Malware Capabilities and Infrastructure
Technical analysis reveals the deployment of multiple malicious tools, including Darktrack RAT and various information-stealing modules such as Glory Stealer and MetaStealer. These tools are specifically designed to exfiltrate sensitive data while maintaining persistent access to compromised networks. The attack infrastructure demonstrates sophisticated operational security measures, including multi-stage delivery mechanisms and encrypted command-and-control channels.
Strategic Targeting and Historical Context
Investigation into Sticky Werewolf’s activities revealed a previous attack wave launched on December 23, 2024, indicating an ongoing campaign targeting critical infrastructure. The group’s primary targets include government institutions, research facilities, and defense industry enterprises across Eastern Europe, with a particular focus on organizations in Russia, Belarus, and Poland.
This campaign highlights the increasing sophistication of targeted attacks against critical infrastructure and defense industries. Organizations must implement comprehensive security measures, including advanced email filtering systems, regular security awareness training, and robust endpoint protection solutions. The evolving nature of these threats emphasizes the importance of maintaining a proactive security posture and implementing defense-in-depth strategies to protect sensitive assets and intellectual property.
