Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

Posted by Arnold Osipov on June 6, 2024
Find me on:

Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent.


Sticky Werewolf is a cyber threat group first detected in April 2023; early activities primarily targeted public organizations in Russia and Belarus. The group’s operations have since extended to several sectors, targeting a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and more.  

In their most recent campaign, Sticky Werewolf have targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall (a Moscow-based company involved in the production and maintenance of aircraft and spacecraft). In previous campaigns the group used phishing emails with links to malicious files. This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers. 


Infection Chain 

In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like However, in their latest campaign, the infection method has changed.  

The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload. 

Attack chain diagram of Sticky Werewolf attacks

Technical Analysis

Phishing Email

The phishing email, purportedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall, targets individuals in the aerospace and defense sector.  

The email invites recipients to a video conference on future cooperation, providing a password-protected archive that containing a malicious payload, and aims to deceive recipients into opening the harmful attachment under the lure of a legitimate business invitation. 

Typical Sticky Werewolf Phising Email

Email Attachment 

The initial archive delivered in the phishing email contains three files designed to deceive the recipient into executing at least one of the malicious email’s contents.  

The archive includes: 

  • A Decoy PDF File: This file serves as a distraction, providing seemingly legitimate content to reduce suspicion while the LNK files execute the malicious payload. 
  • Two LNK Files Masquerading as DOCX Documents:
    • Повестка совещания.docx.lnk (Meeting agenda): This file is intended to appear as a legitimate document outlining the meeting agenda. 
    • Список рассылки.docx.lnk (Mailing list): This file is disguised as a document containing the distribution list for the meeting. 


The PDF file, included as a decoy in the phishing archive, is an invitation to a video conference organized by AO "OKB Kristall" with key enterprises of the "Russian Helicopters" holding. The conference aims to discuss "Issues of prospective cooperation 2024-2025." 

The PDF also references the two malicious LNK files as attachments, increasing the likelihood of the recipient opening them. 

  • Meeting agenda (Повестка совещания.docx.lnk) 
  • Mailing list (Список рассылки.docx.lnk) 
PDF sent by Sticky Werewolf in phishing email



Once the victim clicks the LNK files, the following actions will be triggered: 

First LNK - Повестка совещания.docx.lnk (Meeting agenda) 

Executes the command which performs multiple actions: 

Command line code run after clicking LNK within the .PDF


1. Registry Entry for Persistence: Adds a registry entry to run WINWORD.exe from a network share (\\94.156.8[.]166\Microsoft Office Word$\WINWORD.exe) on login.

2. Decoy Message: Displays a message in Russian indicating a document opening error, claiming the file is corrupted.

Fake "message from John" generated by the LNK file.

3. Copies image.jpg from another network share (\\79.132.128[.]47\image.jpg) to the local root directory. The file was unavailable at the time of research and is suspected to be used as a decoy. 

Second LNK - Список рассылки.docx.lnk (Mailing List) 

Executes the command \\document-cdn[.]org\Microsoft Office Word$\WINWORD.exe, which will launch the same executable as in the first LNK file, this time with the domain name resolved by the above IP (at the time of writing). 


CypherIT Loader / Crypter 

Once the victim clicks the LNK file, the executable from the network share begins running. This executable is an NSIS self-extracting archive which is part of a previously known crypter named CypherIT.  

This crypter has been used for several years to deliver malicious payloads in various campaigns by multiple threat actors. While the original CypherIT crypter is no longer being sold, the current executable is a variant of it, as observed in couple of hacking forums. 

The NSIS archive extracts its files into the $INTERNET_CACHE directory, which corresponds to %LocalAppData%\Microsoft\Windows\INetCache, and is typically used for Internet Explorer's temporary files. After extraction, the installer runs one of the files, an obfuscated batch script. 


Batch Script

This batch script performs several operations: 

  • Delay Execution: If wrsa.exe or opssvc.exe processes are running, the script delays execution by running ping -n 193 
  • Change Filenames: If any of the following processes are present: avastui.exe, avgui.exe, nswscsvc.exe, sophoshealth.exe, the script changes the filenames for the next stage AutoIt executable and script file extension. 
  • File Concatenation: Concatenates multiple files into two files: 
    • A legitimate AutoIt executable. 
    • A compiled AutoIt script. 
  • Execute AutoIt: Runs the AutoIt executable, passing the compiled script as an argument. 

Process Name 



AVG Antivirus 


AVG Antivirus 


Norton Security 

opssvc.exe | sophoshealth.exe 

Sophos Endpoint Protection 



Table: Processes monitored by the Batch script and their corresponding security vendors. 

AutoIT Script 

The executed AutoIT script has various capabilities such as anti-analysis, anti-emulation, persistence, and unhooking. Its main goal is to inject the payload and establish persistence while evading security solutions and analysis attempts. 

Anti-Analysis and Anti-Emulation 

The script checks for artifacts or signs belonging to security vendors' emulators and environments: 

Call functions used by Sticky Werewolf




Computer Name 


BitDefender Emulator 

Computer Name 


Kaspersky Emulator 

Computer Name 


AVG Emulator 




Process name 


AVG Antivirus 

File Name 


Windows Defender Emulator 

Process Name 



Process Name 




The script then overrides ntdll.dll by mapping a clean copy from the disk and replacing the .text section of the one loaded — a known technique to remove hooking. 


Persistence is established via a scheduled task or the startup directory. 

Decryption and Injection 

Before injecting the payload, it decrypts it using two shellcodes that perform RC4 decryption. 

  1. The first shellcode performs the key scheduling algorithm using the provided passphrase. 
  2. The second shellcode implements the PRGA of the RC4 stream cipher. 

sticky-werewolf (7)

The decrypted bytes are decompressed using RtlDecompressFragment with COMPRESSION_FORMAT_LZNT1. The final payload is then injected using a process hollowing into a legitimate AutoIT process. 



The injected payloads typically include commodity RATs or stealers. Recently, Sticky Werewolf has utilized Rhadamanthys Stealer and Ozone RAT in their campaigns. Previously, the group deployed MetaStealer, DarkTrack, NetWire, among others. These malwares facilitate extensive espionage and data exfiltration. 

While there is no definitive evidence pointing to a specific national origin for the Sticky Werewolf group, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, but this attribution remains uncertain. 


How Morphisec Helps 

Morphisec's Automated Moving Target Defense (AMTD) effectively stops attacks, which typically include commodity RATs or stealers, (like those used by the Sticky Werewolf group) at various stages of the attack chain.  

Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses its patented AMTD technology to prevent the attack at its earliest stages, preemptively blocking attacks on memory and applications, and effectively remediating the need for response.  

Schedule a demo today to see how Morphisec stops Sticky Werewolf and other new emerging threats.   

New call-to-action



  • 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9 
  • 03ee2011ad671b1781015024ea53edfbff92c28c2b123bba02d6a6f462e74105 
  • 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4 


  • c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0 
  • ce2b6d3aad07d3dec2b24f676cc9d2022bab5a086c7e773f9cfa3e7b7dc6d66a 


  • 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41 
  • 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab 
  • 3ccbd8bd7424506b26491e5ff5ff55b000adaab1074ccf3b7452d0883f668040 
  • d6e6c786b793b46a1ee9b18b058e045d0aa1c83aa2b6aa493637f611d654d957 
  • d973e7854f10b4d0a1060e55022dceadc51d038cee85d05e2c2c2fd3b40a42be 


  • 79.132.128[.]47 
  • 94.156.8[.]166 
  • document-cdn[.]org 
  • 94.156.8[.]211