Sticky Werewolf Uses Steganography in Attacks on Russian Companies
Experts at Positive Technologies have discovered new attack scenarios by the PhaseShifters group (also known as Sticky Werewolf), which have targeted dozens of organizations. Researchers report that the attackers are using steganography—hiding malware within transmitted images and text files.
The PhaseShifters group (Sticky Werewolf) is engaged in espionage, focusing mainly on various sectors in Eastern European countries, including government agencies, the economic sector, and industry. According to reports, recent attacks have targeted Russian government institutions, industrial companies, and research centers.
Phishing as the Main Attack Vector
In their attacks, the group uses phishing: attackers send emails that appear to come from officials, asking recipients to review and sign a document. As a result, malware such as Rhadamanthys, DarkTrack RAT, Meta Stealer, and others are installed on victims’ devices.
The new attacks began with phishing emails containing password-protected archive attachments, which included malicious files. Researchers examined dozens of such documents, which often appeared to be resumes or additional agreements for signature.
Steganography in Action
When victims opened the files, scripts were downloaded onto their devices that fetched images—these images contained the malicious payload hidden using steganography.
Experts believe that PhaseShifters may have borrowed this technique from another hacker group, TA558, which attacks organizations worldwide. Further analysis led researchers to an even more interesting conclusion: the same technique and the same crypter are used by UAC-0050 (UAC-0096), a hacker group that has been attacking organizations in Russia, Ukraine, Poland, Belarus, Moldova, and the Baltic states since 2020.
Interestingly, overlaps were also found with the Blind Eagle group, described by eSentire in February 2024. Researchers noted the use of Spanish-language crypters and obfuscators distributed on the dark web, in combination with the Ande Loader downloader.
Shared Tools and Techniques
Now, Positive Technologies experts believe that TA558, Blind Eagle, and now PhaseShifters are all using subscriptions to obfuscators and crypters. Evidence includes identical obfuscation structures, the same variables within PowerShell scripts, similar methods of storing payloads (text files or images with Base64 data), and the use of the same repositories for payload delivery.
Attack Chain Analysis
“We have observed high activity from the PhaseShifters group since spring 2023 (other Russian researchers later named it Sticky Werewolf) and noticed interesting details even then. The group’s attack techniques are identical to those of UAC-0050. Moreover, attacks by these groups occur within a short time frame of each other, meaning the attackers strike in similar ways just weeks apart. At this point, we lean toward the conclusion that UAC-0050 and PhaseShifters are the same group, but this can only be confirmed after longer observation,” commented Denis Kuvshinov, head of the Threat Intelligence department at Positive Technologies’ security expert center.