Experts from BI.ZONE reported on the activities of a hacker group Sticky Werewolf (also known as Cavalry Werewolf), which has carried out at least 30 attacks on government organizations in Russia and Belarus since April 2023. To disguise themselves, the attackers used email addresses resembling those of Kyrgyz government officials, and in some cases even real addresses listed on official Kyrgyzstan’s websites.
According to BI.ZONE, the hackers sent phishing emails labeled «important documents». Attachments contained malicious files disguised as PDF or Word documents that installed remote access tools (Ozone RAT or Darktrack RAT). These tools allowed attackers to gain full control over victims’ computers: intercept passwords and messages, record audio and video via microphones and webcams, and remotely manage files and processes.
To bypass antivirus software and hinder analysis, Sticky Werewolf used protective technologies such as Themida, and the IP Logger service to collect victims’ data — including IP addresses, locations, browsers, and operating systems.
Experts note that the group does not use expensive or unique tools but relies on readily available malware-as-a-service. Despite the simplicity, attacks were successful due to weak cybersecurity in the targeted government organizations.
The identities of the victims have not been disclosed.
