Silent Werewolf

Silent Werewolf is a threat actor tracked under the alias Silent Werewolf. Reporting in 2025 describes it conducting malware campaigns against organizations in Russia and Moldova, with additional historical targeting of organizations in Russia, Belarus, Ukraine, Moldova, and Serbia since at least 2011. Reported victim sectors in Russia include nuclear, aircraft, instrumentation, and mechanical engineering, and one campaign was described as targeting Eastern European governmental entities, with at least one confirmed target in the Minsk region. Artifacts also suggested interest in Russian retail, financial institutions, large insurance companies, and governmental postal services. The group is reported to rely on phishing-based initial access. In March 2025 campaigns, it used phishing emails or phishing links delivering ZIP archives containing LNK files and nested ZIP archives. The delivery chain included a decoy PDF, a legitimate renamed executable, and a malicious DLL that was sideloaded, including use of DeviceMetadataWizard.exe with a C# loader named d3d9.dll. BI.ZONE also associated Silent Werewolf with DLL sideloading in campaigns against Moldovan and Russian companies. The malware and tooling associated with Silent Werewolf in the provided reporting include XDigo, XDSpy, and DSDownloader, with XDigo assessed as the likely payload in the March 2025 activity. The sideloaded DLL in that chain was described as a first-stage downloader dubbed ETDownloader, likely intended to deploy XDigo. XDigo is a Go-based implant that can harvest files, extract clipboard contents, capture screenshots, execute commands or binaries retrieved from a remote server via HTTP GET, and exfiltrate data via HTTP POST. The content does not directly attribute Silent Werewolf to a nation state, but its targeting and long-running activity indicate an espionage-oriented threat actor focused on Eastern Europe and especially Russian- and Moldovan-linked organizations.