The threat actor group known as Arcane Werewolf, also tracked as Mythic Likho, has refreshed its attack capabilities by deploying a new version of its custom malware called Loki 2.1.
During October and November 2025, researchers observed this group launching campaigns specifically targeting Russian manufacturing companies.
The group continues to refine its tactics, showing a sustained interest in the manufacturing sector and demonstrating active development of its malware toolkit.
This latest version of Loki represents a significant upgrade, as it now works with both the Mythic and Havoc post-exploitation frameworks, making it more flexible and dangerous in the hands of experienced attackers.
The malware spreads through carefully crafted phishing emails that appear to come from legitimate manufacturing companies.
Victims receive messages containing links that lead to spoofed websites imitating real organizations. When clicked, these links deliver ZIP archives hosted on the attackers’ command and control servers.
This approach works because people are more likely to trust emails when they seem to come from recognized brands and organizations. Once the victim downloads and opens the archive, the infection chain begins.
.webp "Arcane Werewolf Hacker Group Added Loki 2.1 Malware Toolkit to their Arsenal 3")
Bi.Zone analysts identified the malware after tracking the distribution method and analyzing the infection process.
The attack starts when a victim opens a malicious shortcut file, or LNK file, hidden inside the ZIP archive.
This file triggers a command that uses PowerShell to download an executable disguised as an image file from the attacker’s server.
The downloaded file is actually a dropper written in the Go programming language, which carries encoded payloads hidden inside it.
The Loki 2.1 Infection Mechanism
The Go dropper contains two separate payloads that it decodes and executes in sequence. First, it drops a malicious loader called chrome_proxy.pdf, which is responsible for communicating with the attacker’s command and control server.
The malicious loader gathers system information from the infected computer, including the computer name, operating system version, internal IP addresses, and username.
.webp "Arcane Werewolf Hacker Group Added Loki 2.1 Malware Toolkit to their Arsenal 4")
This stolen data is encrypted using the AES encryption algorithm and sent back to the attackers over HTTPS connections.
The loader then waits for commands from the attackers, ready to inject malicious code into running processes, upload files to the victim’s system, or exfiltrate sensitive data.
Additionally, the loader can terminate specific processes on the infected computer, giving attackers significant control over the system’s operation and allowing them to remove security tools or other software that might interfere with their activities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
