Sapphire Werewolf refines Amethyst stealer to attack energy companies

5 min readApr 9, 2025

The Sapphire Werewolf cluster continues to enhance its toolkit, now leveraging a new version of the Amethyst stealer. The threat actor distributes the malware through phishing emails

BI.ZONE Threat Intelligence keeps a close eye on Sapphire Werewolf’s activity. Recent findings indicate that the attackers have been using the updated Amethyst stealer, an open⁠source malware distributed via phishing emails. This time, the cluster targeted energy companies.

Key findings

The adversaries are improving their own tools to get around security solutions more effectively.
The latest version of the Amethyst stealer features advanced checks for virtualized environments and employs the Triple DES algorithm for string encryption.
By exploiting credentials, the threat actor can infiltrate a wide range of information systems, gaining access to sensitive data.

Sapphire Werewolf disguises a malicious attachment as an official memo and sends it to its victim, posing as an HR representative.

The email includes a memo archive Служебная записка .rar which contains an executable Служебная записка .exe with a fake PDF icon. This is a C#‑based malware protected with .NET Reactor.

The malicious file is a .NET loader that carries a Base64-encoded payload (a PE file).

The Base64 string is decoded into a byte array, loaded into memory, and executed using Assembly.Load() and the Invoke() method.

Methods for loading and executing code in memory

The PE file is the Amethyst stealer, also protected with .NET Reactor. Similar to previously analyzed instances of this malware, the new sample downloads malicious files into the DotNetZip.dll helper library memory (Ionic’s Zip Library version 1.16) for file compression. It then sends system data, including the IP address and a string indicating whether the machine is a virtual machine (VM) or not (VM or NOT_VM), to the following address: hxxp://canarytokens[.]com/traffic/tags/static/xjemqlqirwqru9pkrh3j4ztmf/payments.js.

The User-Agent string begins with the word Brussel, which is presumably the campaign ID.

The BI.ZONE Threat Intelligence team also registered malware calls to wondrous-bluejay-lively.ngrok-free[.]app and to checkip.dyndns[.]org for IP verification/lookup.

The Amethyst stealer also uses its resources to extract and execute a decoy PDF document.

The updated Amethyst stealer features the following special capabilities:

Advanced checks for VM environments, enabling the malware to:

attempt to retrieve a file descriptor specific to a VirtualBox VM

Checking for VM environments by calling a virtual device

check for a registry key used by VMware Tools

Checking for VMware Tools in the OS registry

check the hardware manufacturer and model via WMI

check the processor manufacturer, including Parallels

check the motherboard manufacturer and BIOS details

Checking motherboard manufacturer and BIOS serial number

check the disk model data

check plug and play devices

check services

check if the VM-associated registry keys have been modified in the last month

Checking when the VM-associated registry keys were last modified

exploits WMI to gather extensive data about the compromised system

2. It is also noteworthy that the updated stealer uses the Triple DES symmetric algorithm. However, unlike .NET loaders that encrypt the code in its entirety, Triple DES covers almost every single string that comprises an argument of the functions called by the malware.

Code fragment with Triple DES decryption

The Amethyst stealer retrieves:

credentials from Telegram and various browsers, including Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa, and Edge Chromium, as well as FileZilla and SSH configuration files
configuration files from remote desktops and VPN clients
various types of documents, including those stored on removable media

Indicators of compromise

93d048364909018a492c8f709d385438
94034e04636bc4450273b50b07b45f636ff59b05
4149b07d9fdcd04b34efa0a64e47a1b9581ff9d1f670ea552b7c93fb66199b5f

More indicators of compromise are available on the BI.ZONE Threat Intelligence portal.

MITRE ATT&CK

Detection

The BI.ZONE EDR rules below can help organizations detect the described malicious activity:

win_creation_task_that_run_file_from_suspicious_folder
win_possible_browser_stealer_activity
win_suspicious_access_to_software_sensitive_files

We would also recommend that you monitor suspicious activity related to:

running suspicious executable files from the %Temp% folder
running executables resembling system files from unusual folders
creating scheduled tasks not typical for the organization
opening sensitive files through unusual processes
accessing external finders of IP addresses

How to protect your company from such threats

Like many other clusters, Sapphire Werewolf employs phishing emails to gain initial access to a victim’s infrastructure. These risks can be mitigated with email protection solutions like BI.ZONE Mail Security. The service features a high⁠performance engine of our own design and incorporates various methods of email traffic analysis.

Building an effective cybersecurity strategy requires an understanding of the threats you are up against. This means you need to know the adversaries’ methods and tools while keeping a close eye on the most recent threats. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. The solution provides information about the current attacks, threat actors, their methods and tools, as well as data from underground resources. This intelligence can help you stay proactive and accelerate your incident response.