Scaly Wolf Attacking Organizations to Uncover Organizations’ Secrets

The cybersecurity landscape continues to witness sophisticated threat actors developing increasingly complex attack methodologies to infiltrate organizational networks and steal sensitive information.

A recent investigation by security researchers has uncovered a persistent campaign orchestrated by the Scaly Wolf Advanced Persistent Threat (APT) group, which successfully penetrated a Russian engineering enterprise through a carefully orchestrated multi-stage attack.

This campaign, which began in early May 2025, demonstrates the group’s refined tactics and persistent approach to gaining unauthorized access to corporate secrets.

The attack commenced with a familiar yet effective vector: phishing emails containing malicious PDF documents and password-protected ZIP archives.

These seemingly innocuous financial documents served as the initial gateway for the threat actors to establish their foothold within the target organization.

The engineering company became the victim of a sophisticated operation that would span several weeks, ultimately compromising multiple systems within their network infrastructure.

The malicious actors employed social engineering techniques by disguising executable files with double extensions (.pdf.exe), exploiting Windows’ default behavior of hiding file extensions to deceive potential victims.

Dr.Web analysts identified the attack as the work of the Scaly Wolf group through distinctive artifacts found within the malware samples.

The researchers noted that this campaign represented a significant evolution in the group’s tactics, incorporating both custom-developed tools and legitimate administrative utilities to maintain persistence and avoid detection.

The investigation revealed that the threat actors had refined their approach since previous campaigns, abandoning Malware-as-a-Service trojans in favor of their proprietary modular backdoor system.

The primary infection vector involved the deployment of Trojan.Updatar.1, which subsequently downloaded additional components including Trojan.Updatar.2 and Trojan.Updatar.3.

The attackers also leveraged legitimate tools such as the Metasploit framework, BITS service tasks, and remote desktop protocols to establish persistence and conduct lateral movement across the compromised network.

RockYou Obfuscation: A Novel Evasion Technique

What distinguishes this particular variant is its implementation of what Dr.Web analysts have dubbed “RockYou Obfuscation,” a sophisticated technique that significantly complicates malware analysis efforts.

This method involves the continuous initialization of strings from the infamous RockYou.txt password dictionary, which contains over 30 million commonly used passwords compiled from historical data breaches.

The trojan performs various operations on these dictionary strings that do not affect the malware’s core functionality, creating an effective smokescreen that obscures the malicious code’s true purpose.

Meanwhile, strings directly related to the malware’s operational functionality are encoded using XOR operations combined with small offset manipulations:-

// RockYou strings used for obfuscation
char dummy_strings[] = {"password123", "qwerty", "letmein"};
// Actual malicious strings are XOR-encoded
char encoded_payload[256];
xor_decode(encoded_payload, random_key, small_offset);

The encryption keys for both XOR operations and offset values are randomized for each Trojan.Updatar.1 sample, ensuring that signature-based detection methods become significantly less effective.

This obfuscation technique represents a clever adaptation of legitimate security testing resources for malicious purposes, demonstrating how threat actors continue to innovate their evasion techniques while leveraging publicly available datasets originally intended for defensive cybersecurity operations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.