The cybersecurity world is once again witnessing the rise of advanced threat actors, with groups adopting increasingly complex attack chains to infiltrate corporate systems and extract confidential information.
A new investigation by security experts has revealed an ongoing campaign conducted by the Scaly Wolf Advanced Persistent Threat (APT) group). This operation successfully compromised a Russian engineering firm using a carefully staged, multi-layered attack that highlights the group’s persistence and sophistication.
Initial Attack Vector
The campaign, which began in May 2025, started with a classic but still effective method: phishing emails. These emails carried malicious PDF attachments and password-protected ZIP archives, disguised as financial records.
(Source – Dr.Web)
Once opened, these documents acted as the first entry point, allowing attackers to gain a foothold in the targeted network.
Over several weeks, the attackers escalated their intrusion, moving deeper into the company’s infrastructure until multiple systems were under their control.
A key social engineering trick was the use of files with double extensions (.pdf.exe). Since Windows hides file extensions by default, victims often mistook these for safe PDF files, unknowingly executing malware instead.
Dr.Web analysts linked the activity to Scaly Wolf by identifying unique indicators within the malicious code.
Evolution of Tactics
Unlike previous attacks, the group shifted away from Malware-as-a-Service trojans and instead deployed its own custom modular backdoor framework.
The infection chain began with Trojan.Updatar.1, which then downloaded additional payloads, including Trojan.Updatar.2 and Trojan.Updatar.3.
The attackers also used legitimate tools such as:
- The Metasploit framework
- BITS service tasks (Background Intelligent Transfer Service)
- Remote Desktop Protocols (RDP)
These tools helped maintain persistence and enabled lateral movement within the compromised network, making detection much harder.
RockYou Obfuscation: Advanced Evasion
One of the most notable aspects of this campaign was a new technique called “RockYou Obfuscation”, discovered by Dr.Web analysts.
This method made malware analysis significantly harder by initializing strings from the well-known RockYou.txt password dictionary (over 30 million leaked passwords).
The malware continuously processed these dummy strings, which served as a decoy layer. Meanwhile, actual malicious strings used in the attack were encoded with XOR encryption combined with small offset manipulations.
// RockYou strings used as decoys
char dummy_strings[] = {"password123", "qwerty", "letmein"};
// XOR-encoded malicious payload
char encoded_payload[256];
xor_decode(encoded_payload, random_key, small_offset);
Each sample of Trojan.Updatar.1 generated randomized keys and offsets, ensuring that signature-based detection tools became unreliable.
This technique reflects how cybercriminals continue to repurpose security resources like RockYou.txt, originally intended for penetration testing, into powerful evasion methods for malicious campaigns.
