Werewolf Hackers Exploiting WinRAR Vulnerability To Deploy RingSpy Backdoor
Active since 2023, the Mysterious Werewolf cluster has shifted targets to the military-industrial complex (MIC) by using phishing emails with a weaponized archive.
The archive contains a seemingly legitimate PDF document along with a malicious CMD file, and when the victim opens the archive and double-clicks the PDF, the CMD file executes, deploying the RingSpy backdoor onto the compromised system.
Malware replaces the Athena agent of the Mythic framework, a strategy that Mysterious Werewolf previously employed in earlier campaigns. Tactics have shifted, with the Athena agent being swapped for the RingSpy backdoor written in Python, where the group utilizes legitimate services to maintain control of compromised systems, using a Telegram bot as a command and control server.