A hacker group dubbed Sapphire Werewolf has attacked more than 300 Russian companies over the past three months using the Amethyst infostealer, researchers have found.
The group’s targets include the Russian education, manufacturing, tech, defense, and aerospace engineering industries. It is not clear who is behind the group and whether it is state-sponsored or financially motivated.
The Russian cyber company BI.ZONE has been tracking Sapphire Werewolf’s activity since March. The group’s Amethyst tool, according to researchers, is an offshoot of the open-source SapphireStealer.
Once inside the system, Amethyst can collect Telegram configuration files, password and cookie databases, browser and popular website histories, saved pages and configurations from browsers, as well as PowerShell logs.
The hackers deliver the malware to victims’ devices through phishing emails disguised as official decrees, including those from the Central Election Committee or even from Russian President Vladimir Putin.
It is not clear how effective Sapphire Werewolf’s campaigns are or how they use the obtained data. Researchers have noticed that the group’s malware hasevolved. Just three months ago, the stealer didn’t have “any mechanisms for achieving persistence in the compromised system” and only collected “a limited set of data.”
Reports about cyberattacks inside Russia are rare and often published exclusively by local cyber companies since Western firms have limited visibility in the region.
Earlier this week, another Russian firm, Positive Technologies — which was sanctioned by the U.S. for providing technology to Russian intelligence services — published a report about a state-sponsored group called HellHounds that targeted Russian power companies, tech businesses, government agencies, the space industry, and telecom providers with Decoy Dog malware.
Recorded Future
Intelligence Cloud.