Fluffy Wolf Group Carries Out Over 140 Attacks on Russian Companies

Experts at BI.ZONE have identified a new hacker group called Fluffy Wolf, which has attempted to attack Russian companies at least 140 times. According to researchers, the main goal of the group is to steal credentials, most likely for resale. Analysts describe the hackers as low-skilled, as they do not develop their own malware but instead purchase ready-made solutions, which they deliver via phishing emails.

Fluffy Wolf uses legitimate remote access tools and inexpensive commercial malware in their attacks. To gain initial access to victims’ infrastructure, they send emails with attachments disguised as reconciliation statements. Experts explain that the advantage of this scheme lies in its simplicity, low cost, and effectiveness. According to BI.ZONE, about 5% of employees at Russian companies open malicious attachments or click on links in phishing emails. Achieving wide distribution is not technically difficult, and even a single opened email can be enough to compromise an entire infrastructure. This is why phishing is used in 68% of all targeted attacks on organizations.

Attack Methods and Tools

In one of their recent campaigns, the hackers posed as a construction company with the subject line “Documents for Signature.” The email included an archive file, with the password in the file name, containing a malicious file disguised as a document. When the user opened it, two programs were installed on the device: the Meta stealer, designed to steal data, and the legitimate remote access tool Remote Utilities. As a result, Fluffy Wolf gained full control over the machine and could monitor user activity, transfer files, execute commands, and use the task manager.

“Attackers purchase Meta Stealer on underground forums or in a dedicated Telegram channel. Renting the stealer for a month costs $150, while a permanent license is $1,000. Licenses for the legitimate Remote Utilities software range from $29 to $12,000 depending on the buyer’s needs, but a free basic version is also available. All of this makes the cost of an attack extremely low.

Commercial malware allows even low-skilled attackers to carry out successful attacks. This significantly expands the threat landscape for companies in Russia and the CIS,” commented Oleg Skulkin, head of BI.ZONE Threat Intelligence.

About Meta Stealer and Other Malware

The Meta stealer is a clone of the popular RedLine stealer and can collect various types of information from infected machines, including credentials and cookies from browsers, as well as data from FileZilla, cryptocurrency wallets, and VPN clients. Unlike RedLine, however, the developers of Meta do not prohibit its use in attacks on organizations in Russia and other CIS countries.

It is also noted that Fluffy Wolf has previously used other malware in their attacks, including the paid remote access trojan WarZone RAT, which allows attackers to take control of a victim’s computer. In some cases, the hackers also installed the XMRig miner on compromised devices.