Sapphire Werewolf Enhances Toolkit With New Amethyst Stealer to Attack Energy Companies

Cybersecurity experts have detected a sophisticated campaign targeting energy sector companies, as the threat actor known as Sapphire Werewolf deploys an enhanced version of the Amethyst stealer malware.

The campaign represents a significant evolution in the group’s capabilities, featuring advanced evasion techniques and expanded data exfiltration functionality.

This malware deployment is part of a broader pattern of increasingly sophisticated attacks against critical infrastructure targets worldwide.

The initial attack vector remains consistent with previous Sapphire Werewolf campaigns, utilizing phishing emails that masquerade as official human resources communications.

The malicious attachment appears as a RAR archive named “записка.rar” containing an executable disguised with a PDF icon.

Upon execution, this initial loader unpacks and deploys the main Amethyst stealer payload, which has been protected using .NET Reactor obfuscation technology to evade detection by common security tools.

BI.ZONE researchers identified this campaign on April 9, 2025, noting that the threat actor has significantly refined their toolkit.

The malware employs a sophisticated multi-stage infection process, first loading a Base64-encoded PE file into memory through Assembly.Load() and Invoke() methods, avoiding writing the malicious payload to disk where it might be detected by security solutions.

The Amethyst stealer’s primary function is credential theft, targeting authentication data from multiple applications including Telegram and various browsers such as Chrome, Opera, Yandex, Brave, and Edge.

Additional functionality enables the malware to extract SSH configuration files, remote desktop settings, and VPN client credentials, providing attackers with multiple vectors for maintaining persistent access to compromised networks.

Advanced VM Detection Capabilities

What distinguishes this latest version of Amethyst is its comprehensive suite of virtual machine detection mechanisms designed to prevent analysis.

The malware employs multiple techniques to identify virtualized environments, including checking for VirtualBox-specific file descriptors as seen in the following code implementation:-

public static bool CheckVirtualDevice()
{
    bool result;
    try
    {
        using (File.Open("\\.\VBoxMiniRdrDN", FileMode.Open, FileAccess.Read, FileShare.Read))
        {
            result = true;
        }
    }
    catch
    {
        result = false;
    }
    return result;
}

The malware further extends its evasion capabilities through WMI queries examining hardware characteristics, including processor manufacturer details, motherboard information, BIOS serial numbers, and disk model data.

If virtualization is detected, the malware alters its behavior to avoid revealing its full capabilities to security researchers.

Additionally, Amethyst implements Triple DES symmetric encryption for string obfuscation, applying encryption to nearly every string parameter used in function calls rather than encrypting entire code blocks.

This technique significantly complicates static analysis by security tools, which shows a code fragment demonstrating the decryption process in action.

Once credentials are harvested, the malware stages the data locally before exfiltrating it through Telegram channels, providing attackers with a convenient and difficult-to-block command and control infrastructure.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read: