A sophisticated APT group known as Scaly Wolf has executed a persistent multi-year campaign against a Russian engineering enterprise, employing advanced malware techniques and social engineering tactics to penetrate corporate defenses.
Doctor Web’s latest investigation reveals how the threat actors returned in 2025 with enhanced capabilities and new attack vectors, successfully compromising multiple systems through a combination of phishing campaigns, custom trojans, and legitimate administrative tools.
Advanced Phishing Campaign Delivers Custom Malware
The 2025 attack commenced in early May when the targeted company began receiving finance-related phishing emails containing password-protected ZIP archives and decoy PDF documents.
These messages employed sophisticated social engineering, presenting themselves as legitimate financial documents while concealing the malicious Trojan.Updatar.1 executable with double extensions like “Акт Сверки.pdf.exe” to bypass user detection.
The threat actors demonstrated notable technical evolution since their previous 2023 campaign, implementing what researchers dubbed “RockYou Obfuscation,” a unique technique that initializes strings from the RockYou.txt password dictionary to obfuscate the trojan’s proper functionality.
This method randomizes XOR keys and offsets for each sample, significantly complicating malware analysis while maintaining operational effectiveness.
Multi-Stage Infrastructure Compromise
Following initial infection on May 12, 2025, the attackers deployed a sophisticated multi-component backdoor system consisting of a Trojan.Updater 2 and Trojan.Updatar.3 modules.
The campaign utilized multiple command-and-control servers, with the primary domain roscosmosmeet[.]online serving as the main malware distribution point, while various modules communicated through updating-services[.]com and adobe-updater[.]net.
The threat actors demonstrated advanced post-exploitation capabilities by deploying legitimate penetration testing tools including Meterpreter from the Metasploit framework, Tool.HandleKatz for credential dumping, and Program.Rdpwrap . 7 for persistent remote access.
When encountering Dr.Web antivirus protection on secondary targets, the attackers pivoted to using RemCom (Program.RemoteAdmin.877) – a legitimate remote administration tool that bypassed default security configurations.
Persistent Threat with Historical Context
This campaign represents a continuation of Scaly Wolf’s 2023 operations against the same enterprise, where they previously utilized WhiteSnake Stealer (Trojan.Siggen21.39882) and JS—BackDoor. 60 for espionage activities.
The group’s persistence demonstrates its significant interest in the target’s corporate secrets and infrastructure intelligence.
The investigation revealed that unprotected systems succumbed to infection within hours, while machines equipped with properly configured Dr.Web antivirus successfully blocked multiple intrusion attempts.
This case underscores the critical importance of comprehensive endpoint protection and proper security configuration in defending against sophisticated APT campaigns targeting industrial enterprises.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Wolf's Assault - A sophisticated APT group known as Scaly Wolf has executed a persistent multi-year campaign against a Russian.){kind=link}