Summary: A new report from Kaspersky reveals that the threat actor Paper Werewolf has been launching targeted attacks against Russian organizations, specifically utilizing a malware implant called PowerModul. The attacks, which occurred between July and December 2024, sent phishing emails containing malicious documents to various sectors, including government and telecommunications. These campaigns not only facilitate espionage but also incorporate disruptive tactics to change employee credentials.
Affected: Russian entities, including mass media, telecommunications, construction, government, and energy sectors
Keypoints :
- Paper Werewolf has conducted at least seven campaigns since 2022, focusing on government and energy sectors.
- The initial access is gained through phishing emails with macro-laden documents that deploy a PowerShell-based remote access trojan, PowerRAT.
- PowerModul serves as a backdoor to execute and download further payloads like FlashFileGrabber and PowerTaskel, enhancing the threat actor’s control over compromised systems.
- Kaspersky notes an increased use of refined methods, such as malicious Word documents with VBA scripts for infections.
- A related threat group, Sapphire Werewolf, has been observed in a phishing campaign distributing an updated version of the Amethyst Stealer.
Source: https://thehackernews.com/2025/04/paper-werewolf-deploys-powermodul.html
Views: 8