Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations

In March 2025, BI.ZONE Threat Intelligence uncovered two new campaigns by Silent Werewolf. The first one focused on Russian organizations exclusively while the second targeted both Moldovan and, presumably, Russian companies. The attackers employed two separate loader instances to retrieve the malicious payload from their C2 server. Unfortunately, the payload itself was not available at the time of this research. However, a retrospective analysis of similar Silent Werewolf campaigns suggests that the threat actor used XDigo malware.

Adversaries often send phishing emails impersonating major or well-known organizations or reference them for credibility. The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them. It is important to remember that the brands cannot be liable for the actions of criminals and associated damage.

Key findings

• Phishing emails remain the adversaries’ preferred technique for targeted attacks, particularly those involving espionage.
• The threat actor hinders payload retrieval to impede further analysis.
• The extensive use of legitimate tools and malware code obfuscation allows the attackers to stay undetected for longer periods to achieve their goals.

To read the complete article see: https://bi.zone/eng/expertise/blog/silent-werewolf-ispolzuet-novye-zagruzchiki-v-atakakh-na-rossiyskie-i-moldavskie-organizatsii/