The Fluffy Wolf group carried out at least 140 attacks on Russian companies

Experts from the company BI.ZONE discovered a new hack group, Fluffy Wolf, which attempted to attack Russian companies at least 140 times. According to researchers, the main goal of the group is to steal credentials (most likely for further resale). At the same time, analysts characterize hackers as low-skilled, since they do not write malware themselves, but buy ready-made solutions, for delivery of which they send phishing emails.

Fluffy Wolf uses legitimate remote access tools and inexpensive commercial malware in its attacks. To gain initial access to the victims’ infrastructure, they send emails with attachments disguised as reconciliation reports.

The advantage of this scheme is its simplicity, low cost, and efficiency, experts explain. According to BI.ZONE, about 5% of employees of Russian companies open malicious attachments and follow links from Thus phishing emails. At the same time, ensuring a large mailing coverage is not technically difficult, and even one such open letter is enough to compromise the entire infrastructure. This is why phishing is used in 68% of all targeted attacks on organizations.

In one of the latest campaigns, hackers wrote to potential victims on behalf of a construction organization with the subject line “Acts for signature.” Attached to the letter was an archive, the name of which included a password, and inside was a malicious file disguised as a document. When the user opened it, two programs were installed on the device: the Meta stealer, designed to steal data, as well as the legitimate remote access tool Remote Utilities. As a result, Fluffy Wolf gained full control over the machine and could monitor user actions, transfer files, execute commands, and work with the task manager.

“Criminals purchase Meta Stealer on shadow forums or in a special Telegram channel. You can rent a stealer for a month for $150, or purchase a permanent license for $1,000. The cost of licenses for legitimate Remote Utilities software depends on the buyer’s needs and ranges from $29 to $12,000, but there is the opportunity to use the free basic version. All this makes the cost of an attack extremely low.

Commercial malware allows even attackers with a low level of training to carry out successful attacks. This seriously expands the threat landscape for companies from Russia and the CIS,” comments Oleg Skulkin, head of BI.ZONE Threat Intelligence.

Meta stealer is a clone of the popular RedLine stealer and allows you to collect different types of information from infected machines, including credentials and cookies from browsers, as well as data from FileZilla, crypto wallets and VPN clients. However, unlike RedLine, the developers of the Meta stealer do not prohibit its use in attacks on organizations from Russia and other CIS countries.

It is noted that Fluffy Wolf previously used other malware in attacks, including the paid WarZone RAT remote access trojan, which allowed it to gain control of the victim’s computer. In addition, in some cases, hackers installed the XMRig miner on compromised devices.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment