Security researchers from F6’s Threat Intelligence team have identified a new wave of cyberespionage attacks attributed to the advanced persistent threat (APT) group Core Werewolf. The campaign, active as of early May 2025, primarily targets military organizations in Belarus and Russia using remote access tools like UltraVNC1. This follows a broader trend of politically motivated attacks against Eastern European defense sectors, with F.A.C.C.T. reporting a 116% year-over-year increase in such incidents3.
Attack Methodology and Tools
Core Werewolf’s latest campaign employs a combination of legitimate remote administration tools and custom malware. The group was observed using UltraVNC for persistent access to compromised systems, a technique that blends in with normal network traffic. This matches previous patterns seen in attacks by related groups like Sticky Werewolf, which used Rhadamanthys stealer and Darktrack RAT against government targets2.
Initial access vectors appear to include phishing campaigns and exploitation of subcontractor networks. The attackers demonstrate knowledge of military procurement processes, often targeting smaller suppliers as entry points to larger defense organizations. This supply-chain approach mirrors tactics seen in historical attacks like NotPetya, which caused $10 billion in damages through similar methods4.
Broader Threat Landscape
F.A.C.C.T.’s Q2 2024 report identifies nine active APT groups operating against Russian and CIS targets, with Core Werewolf responsible for at least nine documented attacks3. Other notable threats include:
- PhantomCore’s new Go-based loader
- ReaverBits/XDSpy targeting state financial systems
- Mimic Wolf ransomware-as-a-service operations
Elena Shamshina of F.A.C.C.T. predicts these groups will expand beyond traditional government and military targets to include critical infrastructure sectors3.
Detection and Mitigation
Organizations should monitor for suspicious UltraVNC connections, particularly those originating from unexpected locations or outside normal business hours. Network defenders should:
- Audit remote access tool permissions
- Implement application allowlisting
- Monitor subcontractor network connections
- Review authentication logs for anomalous VPN access
The use of legitimate tools makes detection challenging, requiring behavioral analysis rather than signature-based approaches. F6’s report notes that Core Werewolf frequently modifies its tactics, suggesting defenders should prioritize anomaly detection over static indicators1.
Conclusion
The Core Werewolf campaign demonstrates the continued evolution of APT tactics in Eastern Europe. With geopolitical tensions remaining high, organizations in the defense sector and related supply chains should assume they are targets and implement corresponding security measures. The reuse of techniques across related groups suggests possible shared infrastructure or knowledge transfer between threat actors.
References
- “Шпионы Core Werewolf атаковали военные организации Белоруссии и России,” CNews, May 6, 2025. [Online]. Available: https://safe.cnews.ru/news/line/2025-05-06_shpiony_core_werewolf_atakovali
- “Шпионы Sticky Werewolf атакуют государственные организации России и Белоруссии,” BI.ZONE, 2024. [Online]. Available: https://bi.zone/expertise/blog/shpiony-sticky-werewolf-atakuyut-gosudarstvennye-organizatsii-rossii-i-belarusi
- “Атаки запишем: хакеры-профи продолжают нападать на организации в России,” Forbes Russia, 2024. [Online]. Available: https://www.forbes.ru/tekhnologii/516694-ataki-zapisem-hakery-profi-prodolzaut-napadat-na-organizacii-v-rossii
- “APT collateral damage,” Kaspersky. [Online]. Available: https://www.kaspersky.ru/blog/apt-collateral-damage/27588/
