Squid Werewolf cyber spies masquerade as recruiters
Contents
Squid Werewolf cyber spies masquerade as recruiters
Espionage activity clusters may pose as recruiters to distribute phishing emails, targeting key employees in organizations of interest. In December 2024, the BI.ZONE Threat Intelligence team uncovered a peculiar phishing campaign aimed at luring victims with fake job opportunities at an industrial organization. A detailed analysis revealed that the attack had been carried out by Squid Werewolf (APT37, Ricochet Chollima, ScarCruft, Reaper Group).
- Targeted phishing emails with relevant subject lines enable attackers to promptly access data within the systems used by key personnel.
- Threat actors are increasingly shifting away from Microsoft Word documents and Microsoft Excel spreadsheets, instead focusing on archives containing executables, scripts, or shortcuts.
- Espionage clusters are opting for more sophisticated methods and tools. Therefore, using advanced threat detection solutions such as EDR is recommended to mitigate the risks.
The attack would begin with a phishing email, which the adversaries disguised as a …
Espionage activity clusters may pose as recruiters to distribute phishing emails, targeting key employees in organizations of interest. In December 2024, the BI.ZONE Threat Intelligence team uncovered a peculiar phishing campaign aimed at luring victims with fake job opportunities at an industrial organization. A detailed analysis revealed that the attack had been carried out by Squid Werewolf (APT37, Ricochet Chollima, ScarCruft, Reaper Group).
- Targeted phishing emails with relevant subject lines enable attackers to promptly access data within the systems used by key personnel.
- Threat actors are increasingly shifting away from Microsoft Word documents and Microsoft Excel spreadsheets, instead focusing on archives containing executables, scripts, or shortcuts.
- Espionage clusters are opting for more sophisticated methods and tools. Therefore, using advanced threat detection solutions such as EDR is recommended to mitigate the risks.
The attack would begin with a phishing email, which the adversaries disguised as a …
IoC
http://hwsrv-1253398.hostwindsdns.com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/shoppingcart.php
http://hwsrv-1253398.hostwindsdns.com
https://www.timeapi.io/api/time/current/zone?timeZone=Europe%2FAmsterdam
https://hwsrv-1253398.hostwindsdns.com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/shoppingcart.php
https://hwsrv-1253398.hostwindsdns.com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/discountcode.php
0601426a6da40ec9b47bab54e4ec149ba69ee58f787eea0e32d1001cab1abd04
20dd93441c5e78b7adc7764c92719bed70ddb0676f707df7ea9f37d7969f4776
49a2ed08930ed20cbf859ca2fe3113e64f7a305c7a03cbda284fcceb781d053b
http://hwsrv-1253398.hostwindsdns.com
https://www.timeapi.io/api/time/current/zone?timeZone=Europe%2FAmsterdam
https://hwsrv-1253398.hostwindsdns.com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/shoppingcart.php
https://hwsrv-1253398.hostwindsdns.com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/discountcode.php
0601426a6da40ec9b47bab54e4ec149ba69ee58f787eea0e32d1001cab1abd04
20dd93441c5e78b7adc7764c92719bed70ddb0676f707df7ea9f37d7969f4776
49a2ed08930ed20cbf859ca2fe3113e64f7a305c7a03cbda284fcceb781d053b