Sticky Werewolf APT Stalks Aviation Sector

The pro-Ukranian group has upgraded its infection chain, with credentials, strategic info on commercial pilots, or billion-dollar designs as the possible prizes.

A threat actor is using layered infection chains to compromise organizations involved with Russias
aviation industry
.
The advanced persistent threat (APT) known as Sticky Werewolf has been around since at least April 2023, and it seems to be interested in espionage relating to the conflict between Russia and Ukraine.
Early reporting
indicated that the group was targeting public organizations in Russia and Belarus, but recent targets have included a pharmaceutical company and a Russian research institute involved in microbiology and vaccine development.
Most recently, in targeted attacks earlier this spring, it appeared that the group had turned its attention to aerospace and defense, as noted in a
blog post earlier this week
from Morphisec. Its infection methods have been upgraded in turn, now involving a long chain of files and scripts at the end of which lay common remote access malware.
The
attractiveness of aerospace to cybercriminals
and
nation-state actors
is multifold, says Claude Mandy, chief evangelist at Symmetry Systems. In a conflict, private aircraft and pilots can be both strategic assets and targets, as well as potential intel sources when drafted into military use. Then theres the intellectual property goldmine and the need to protect it for commercial reasons.
In prior campaigns, Sticky Werewolf phishing emails included links to download malicious files. Now, its infections are notably more complex.
Its latest emails purport to come from the first deputy general director of AO OKB Kristall, a Moscow-based aircraft and spacecraft company. An attached archive file opens a PDF document, alluding to an upcoming video conference on issues of long-term cooperation for the coming year. The director asks recipients to participate, and provide personal information including names, positions, and email addresses.
The PDF is a complement to two LNK files also included in that archive. Masquerading as a distribution list and meeting agenda, these files present the user with a fake error message while simultaneously creating a Windows registry entry to establish persistence, then downloading an executable from a WebDAV server.
The executable is a variant of the well-worn and largely defunct CypherIT cryptor. This file drops a batch script which, among other things, manipulates files, looks out for security software — Norton, Sophos, AVG, and Webroot — and drops an AutoIT executable. The AutoIT scripts job involves anti-analysis and anti-emulation, further establishing persistence on the machine, and dropping the final payload.
The final payload will be some sort of commercial remote access Trojan (RAT), like
the Rhadamanthys Stealer
or Ozone RAT. Older Sticky Werewolf campaigns utilized MetaStealer, DarkTrack, and
NetWire
. Any of these will facilitate espionage and data exfiltration, and the nature of Sticky Werewolfs activities to that end suggest that it operates in support of Ukrainian interests.
Attackers like this can steal credentials, strategic info on commercial pilots being drafted in military surface, or billion-dollar designs, Mandy explains. These attacks indicate just how simple a successful social engineering attack can be. Tailored phishing emails will eventually trick someone into installing a remote access Trojan.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sticky Werewolf APT Stalks Aviation Sector