Approaching Cyclone: Vortex Werewolf Attacks Russia
A new cluster is spreading malware through phishing attacks targeting Russia. The attack methodology involves fake pages that imitate file downloads from Telegram. The article likely details the structure of these attacks, providing insights into how the malicious actors are exploiting user trust in the popular messaging platform to deliver their payload. This emerging threat, dubbed Vortex Werewolf, appears to be a sophisticated campaign specifically targeting Russian users or entities.
AI Analysis
Technical Summary
The Vortex Werewolf campaign is a newly identified malware distribution operation primarily targeting Russian users through phishing attacks. The attackers create fake web pages that impersonate legitimate Telegram file download pages, exploiting the widespread trust and usage of Telegram in Russia. Victims are lured into downloading malicious files under the guise of legitimate content, which then execute malware on their systems. The campaign employs several MITRE ATT&CK techniques: T1566 (Phishing), specifically T1566.002 (Spearphishing Link), T1059 (Command and Scripting Interpreter), and T1204.001 (User Execution: Malicious File). These techniques indicate a multi-stage attack involving social engineering to deliver and execute malicious payloads. While the campaign currently focuses on Russian targets, the use of Telegram as a delivery vector means that any user or organization relying on Telegram for file sharing could be at risk if the campaign expands. No known exploits are reported in the wild, and no specific software vulnerabilities are exploited, indicating the attack relies heavily on user deception and social engineering rather than technical exploits. The campaign's medium severity rating reflects its targeted nature, the need for user interaction, and the absence of automated exploitation mechanisms. The sophistication of the fake pages and the use of a trusted platform like Telegram increase the likelihood of successful compromise among targeted users.
Potential Impact
For European organizations, the primary impact of the Vortex Werewolf campaign lies in potential compromise through social engineering targeting employees or partners with Russian connections or those who use Telegram extensively. Successful infections could lead to malware execution, potentially resulting in data theft, espionage, or lateral movement within networks. Organizations with Russian-speaking staff or business operations involving Russia are at higher risk. The campaign could disrupt operations, compromise sensitive information, and damage trust in communication channels. Additionally, if the campaign expands beyond Russia, European entities using Telegram for file sharing could become direct targets. The reliance on phishing and user execution means that the threat could bypass traditional perimeter defenses if users are not adequately trained or if email/web filtering is insufficient. Given the geopolitical tensions involving Russia, this campaign may also be part of broader cyber espionage or influence operations, increasing its strategic impact on European critical infrastructure and governmental organizations.
Mitigation Recommendations
To mitigate the Vortex Werewolf threat, European organizations should implement targeted user awareness training focusing on the risks of phishing and the specific threat of fake Telegram download pages. Email and web filtering solutions should be configured to detect and block phishing URLs and malicious attachments, especially those mimicking Telegram or related services. Network monitoring should include detection of unusual Telegram-related traffic or file downloads. Organizations should enforce strict policies on downloading and executing files from untrusted sources, including messaging platforms. Multi-factor authentication (MFA) should be enabled on all user accounts to reduce the impact of credential compromise. Incident response teams should be prepared to analyze suspicious Telegram-related activity and respond quickly to potential infections. Collaboration with threat intelligence providers to monitor updates on Vortex Werewolf indicators and tactics is recommended. Finally, organizations should consider restricting or monitoring the use of Telegram for file sharing in sensitive environments until the threat subsides.
Affected Countries
Russia, Germany, United Kingdom, France, Italy, Poland
Indicators of Compromise
- hash: 111ea773e331412d06b1e8725df275f8
- hash: 2fd70886f3d8712818cc74a4bd941133
- hash: 3e3c5471c69e933fcffa4f497ca936b8
- hash: 41155d85dbaa61801f95aa183facf4e3
- hash: 4300b13d2ff5faa4fc5fc022ba29e280
- hash: 44652be9dc36c33ef0a35d4422523f7c
- hash: 8dbeb747aab3d3814bcee52c3b0f6ee5
- hash: cf92899f2cd2db8069d97feba7d754c6
- hash: 032b8bdd1de028d36f7c785622d5ea6a17e02f90
- hash: 2282e2158b7fb714f77d8b0974d980b87884933f
- hash: 2779c0b31e513788f6494a70922e6c7051f4291d
- hash: 675ce37d4549fb9e2fabee91befa53c0bac157e0
- hash: cc0752a4bc9482c96f3e4fd852ae3705947d5b83
- hash: d3b8ac9c6d8b9106fc7964d06121c281d72fef53
- hash: fc3b95b64aa817262e1dbb2fbfe6983e70a5f340
- hash: 1280cca4b520bfd018296c4d1645b7c9c8c7c4608752506285dad0e251b22e32
- hash: 1ba396a8cd9af661e0a5ceb1107c787290cff3ab05b70a9c5154f4e040f716be
- hash: 1cf423b7b55c2d7018262c847ba58e1955443e1d84ca0bca4f94f2a9cc5794d7
- hash: 2727d521ef98815ba82b2c2cc504123db59e1e4df487e3d6253280d21d00020e
- hash: 2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082
- hash: 36d104a18c1e966b11253eb637a452288cb94ce240ee6fff7c2d14d7ae8086ee
- hash: 4111cda24ef547bc3296024cf94e0a0b43916c46d92f1d5c406ba241dcd6bb23
- hash: 42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066
- hash: 44abef9297d6573674b27416435c891317cfb9de8753d075806d5777563e6cc2
- hash: 558df469e8170f63da405ce42cf63900d81f0b38c3a70fa69e48b9aa11735345
- hash: 6efdf511512be5e256951813f2008ce2c4572d6ef191c69a62b7555aa33255ac
- hash: 76542efd8113416322268676c8c32fc900661fe17db68a1ac9c2bcdcd936a7a6
- hash: 7ccf33529389ff080c1aaea1678c9f7a3546ab950670138f8a7f35c7638578cb
- hash: 8339333e1a1a8babc3fd72542e8fda58d19dd096cf2463867ca0328348338570
- hash: 85fba8ba8377974392b9147a2adf2d2955e9dfbb8d9e0659c7f90487b1105ae7
- hash: 86b1e4e48d1d4ce1acf291b21c2ffa806bca9b6cad6a6519263fa1705486eb94
- hash: 8f4836cca1850053e87a769a84baed3cdde060ad3fce26f101a20b37375835f1
- hash: 8f9029a5d5351078fc2f0b5499557c0f969b337817947314e37b2c7407ae2300
- hash: a5c5a64b2da18aac04ddaaa3cd82f09bbad661da4aaca785edcf4bac94cb520a
- hash: ac8e6a47f795b6ea4bf1ddf2d4079337fd7d3798bcfe8773c28f9d429b83380b
- hash: aeb3196090cb428bcea45e0cf24d2b53346e244b2115edb176da49ca912d8cdf
- hash: b4195e7584ac97d9c444ee6292160c80f9c889e6cba27cc656506d3c5fcffd48
- hash: de73c1b5597f091b5e42e5d5b4dc40a46ddee4682308f5bbe010a32ede57b111
- hash: f27f0c47b708cabbc71e78eb28c4871834da0bc35c2693e145c01688d8e1bd13
- hash: fc8a6cc400dd822b6f5fc40c85a547cf7f266169edddb84a90f4b3f25956318c
- ip: 103.17.154.137
- ip: 158.174.146.87
- ip: 176.169.236.210
- ip: 188.116.26.254
- ip: 190.62.5.156
- ip: 193.138.81.106
- ip: 24.134.5.121
- ip: 73.94.43.159
- ip: 77.128.112.133
- ip: 78.63.213.108
- ip: 82.117.243.191
- ip: 85.117.251.69
- ip: 86.206.9.78
- url: https://telegram-files.trustedfiles.org/?cuid=vG7LLN&cloud_access=E20340B73A&tuid=2bWqrF&hash=d3BdF6F9Bd&folder=520e66fe3F
- url: https://telegram-files.trustedfiles.org/?folder=009c027D11&tuid=1MM5Jx&cloud_access=f8CfeE6518&hash=a9D53e2Cd9&cuid=vG7LLN
- url: https://telegram-files.trustedfiles.org/?nash=2BC8BD579d&cloud_access=06c434ED64&tuid=efGVBj&folder=8057d1704f&cuid=3e12KE
- url: https://telegram-files.trustedfiles.org/telegram/api/v1/file/111ea773e331412d06b1e8725df275f8/3e12KE/efGVBj/
- url: https://telegram-share.documtransfer.net/?folder=5f6a307A22&hash=4C90FCcEB9&cuid=VxBY1g&cloud_access=BEeB5A09Ad&tuid=2CbRT0
- url: https://tg-media.guardedcloud.net/?access_hash=ceFFc8F817&cuid=nghdRm&code=A824c7d9D3&tuid=SuCmHG
- domain: 2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion
- domain: 3lfdhuojbznd4fmunkkzr2m5zbnaibwuyvenclsoxvapylqv4pdldqad.onion
- domain: amvlfdftchgyoie7femnnivsfnqzizrljm5rbixgsxpzgdavdtkhtlad.onion
- domain: biavid.info
- domain: clgkhqmtssx4dgvhq5r4kb4anid4n375d2z5mqspuob3iyqvzyrxhoqd.onion
- domain: documshare.org
- domain: documtransfer.net
- domain: guardedcloud.net
- domain: safedatabox.net
- domain: trustedfiles.org
- domain: docs-telegram.guardedcloud.net
- domain: sectgfiles.biavid.info
- domain: telegram-files.trustedfiles.org
- domain: telegram-share.documtransfer.net
- domain: telegram.guardedcloud.net
- domain: teleinfo.safedatabox.net
- domain: tg-box.documshare.org
- domain: tg-media.guardedcloud.net
Approaching Cyclone: Vortex Werewolf Attacks Russia
Description
A new cluster is spreading malware through phishing attacks targeting Russia. The attack methodology involves fake pages that imitate file downloads from Telegram. The article likely details the structure of these attacks, providing insights into how the malicious actors are exploiting user trust in the popular messaging platform to deliver their payload. This emerging threat, dubbed Vortex Werewolf, appears to be a sophisticated campaign specifically targeting Russian users or entities.
AI-Powered Analysis
Technical Analysis
The Vortex Werewolf campaign is a newly identified malware distribution operation primarily targeting Russian users through phishing attacks. The attackers create fake web pages that impersonate legitimate Telegram file download pages, exploiting the widespread trust and usage of Telegram in Russia. Victims are lured into downloading malicious files under the guise of legitimate content, which then execute malware on their systems. The campaign employs several MITRE ATT&CK techniques: T1566 (Phishing), specifically T1566.002 (Spearphishing Link), T1059 (Command and Scripting Interpreter), and T1204.001 (User Execution: Malicious File). These techniques indicate a multi-stage attack involving social engineering to deliver and execute malicious payloads. While the campaign currently focuses on Russian targets, the use of Telegram as a delivery vector means that any user or organization relying on Telegram for file sharing could be at risk if the campaign expands. No known exploits are reported in the wild, and no specific software vulnerabilities are exploited, indicating the attack relies heavily on user deception and social engineering rather than technical exploits. The campaign's medium severity rating reflects its targeted nature, the need for user interaction, and the absence of automated exploitation mechanisms. The sophistication of the fake pages and the use of a trusted platform like Telegram increase the likelihood of successful compromise among targeted users.
Potential Impact
For European organizations, the primary impact of the Vortex Werewolf campaign lies in potential compromise through social engineering targeting employees or partners with Russian connections or those who use Telegram extensively. Successful infections could lead to malware execution, potentially resulting in data theft, espionage, or lateral movement within networks. Organizations with Russian-speaking staff or business operations involving Russia are at higher risk. The campaign could disrupt operations, compromise sensitive information, and damage trust in communication channels. Additionally, if the campaign expands beyond Russia, European entities using Telegram for file sharing could become direct targets. The reliance on phishing and user execution means that the threat could bypass traditional perimeter defenses if users are not adequately trained or if email/web filtering is insufficient. Given the geopolitical tensions involving Russia, this campaign may also be part of broader cyber espionage or influence operations, increasing its strategic impact on European critical infrastructure and governmental organizations.
Mitigation Recommendations
To mitigate the Vortex Werewolf threat, European organizations should implement targeted user awareness training focusing on the risks of phishing and the specific threat of fake Telegram download pages. Email and web filtering solutions should be configured to detect and block phishing URLs and malicious attachments, especially those mimicking Telegram or related services. Network monitoring should include detection of unusual Telegram-related traffic or file downloads. Organizations should enforce strict policies on downloading and executing files from untrusted sources, including messaging platforms. Multi-factor authentication (MFA) should be enabled on all user accounts to reduce the impact of credential compromise. Incident response teams should be prepared to analyze suspicious Telegram-related activity and respond quickly to potential infections. Collaboration with threat intelligence providers to monitor updates on Vortex Werewolf indicators and tactics is recommended. Finally, organizations should consider restricting or monitoring the use of Telegram for file sharing in sensitive environments until the threat subsides.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://bi.zone/expertise/blog/nadvigayushchiysya-tsiklon-vortex-werewolf-atakuet-rossiyu/"]
- Adversary
- Vortex Werewolf
- Pulse Id
- 697b0eae1add7406158cd075
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash111ea773e331412d06b1e8725df275f8 | — | |
hash2fd70886f3d8712818cc74a4bd941133 | — | |
hash3e3c5471c69e933fcffa4f497ca936b8 | — | |
hash41155d85dbaa61801f95aa183facf4e3 | — | |
hash4300b13d2ff5faa4fc5fc022ba29e280 | — | |
hash44652be9dc36c33ef0a35d4422523f7c | — | |
hash8dbeb747aab3d3814bcee52c3b0f6ee5 | — | |
hashcf92899f2cd2db8069d97feba7d754c6 | — | |
hash032b8bdd1de028d36f7c785622d5ea6a17e02f90 | — | |
hash2282e2158b7fb714f77d8b0974d980b87884933f | — | |
hash2779c0b31e513788f6494a70922e6c7051f4291d | — | |
hash675ce37d4549fb9e2fabee91befa53c0bac157e0 | — | |
hashcc0752a4bc9482c96f3e4fd852ae3705947d5b83 | — | |
hashd3b8ac9c6d8b9106fc7964d06121c281d72fef53 | — | |
hashfc3b95b64aa817262e1dbb2fbfe6983e70a5f340 | — | |
hash1280cca4b520bfd018296c4d1645b7c9c8c7c4608752506285dad0e251b22e32 | — | |
hash1ba396a8cd9af661e0a5ceb1107c787290cff3ab05b70a9c5154f4e040f716be | — | |
hash1cf423b7b55c2d7018262c847ba58e1955443e1d84ca0bca4f94f2a9cc5794d7 | — | |
hash2727d521ef98815ba82b2c2cc504123db59e1e4df487e3d6253280d21d00020e | — | |
hash2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082 | — | |
hash36d104a18c1e966b11253eb637a452288cb94ce240ee6fff7c2d14d7ae8086ee | — | |
hash4111cda24ef547bc3296024cf94e0a0b43916c46d92f1d5c406ba241dcd6bb23 | — | |
hash42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066 | — | |
hash44abef9297d6573674b27416435c891317cfb9de8753d075806d5777563e6cc2 | — | |
hash558df469e8170f63da405ce42cf63900d81f0b38c3a70fa69e48b9aa11735345 | — | |
hash6efdf511512be5e256951813f2008ce2c4572d6ef191c69a62b7555aa33255ac | — | |
hash76542efd8113416322268676c8c32fc900661fe17db68a1ac9c2bcdcd936a7a6 | — | |
hash7ccf33529389ff080c1aaea1678c9f7a3546ab950670138f8a7f35c7638578cb | — | |
hash8339333e1a1a8babc3fd72542e8fda58d19dd096cf2463867ca0328348338570 | — | |
hash85fba8ba8377974392b9147a2adf2d2955e9dfbb8d9e0659c7f90487b1105ae7 | — | |
hash86b1e4e48d1d4ce1acf291b21c2ffa806bca9b6cad6a6519263fa1705486eb94 | — | |
hash8f4836cca1850053e87a769a84baed3cdde060ad3fce26f101a20b37375835f1 | — | |
hash8f9029a5d5351078fc2f0b5499557c0f969b337817947314e37b2c7407ae2300 | — | |
hasha5c5a64b2da18aac04ddaaa3cd82f09bbad661da4aaca785edcf4bac94cb520a | — | |
hashac8e6a47f795b6ea4bf1ddf2d4079337fd7d3798bcfe8773c28f9d429b83380b | — | |
hashaeb3196090cb428bcea45e0cf24d2b53346e244b2115edb176da49ca912d8cdf | — | |
hashb4195e7584ac97d9c444ee6292160c80f9c889e6cba27cc656506d3c5fcffd48 | — | |
hashde73c1b5597f091b5e42e5d5b4dc40a46ddee4682308f5bbe010a32ede57b111 | — | |
hashf27f0c47b708cabbc71e78eb28c4871834da0bc35c2693e145c01688d8e1bd13 | — | |
hashfc8a6cc400dd822b6f5fc40c85a547cf7f266169edddb84a90f4b3f25956318c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip103.17.154.137 | — | |
ip158.174.146.87 | — | |
ip176.169.236.210 | — | |
ip188.116.26.254 | — | |
ip190.62.5.156 | — | |
ip193.138.81.106 | — | |
ip24.134.5.121 | — | |
ip73.94.43.159 | — | |
ip77.128.112.133 | — | |
ip78.63.213.108 | — | |
ip82.117.243.191 | — | |
ip85.117.251.69 | — | |
ip86.206.9.78 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://telegram-files.trustedfiles.org/?cuid=vG7LLN&cloud_access=E20340B73A&tuid=2bWqrF&hash=d3BdF6F9Bd&folder=520e66fe3F | — | |
urlhttps://telegram-files.trustedfiles.org/?folder=009c027D11&tuid=1MM5Jx&cloud_access=f8CfeE6518&hash=a9D53e2Cd9&cuid=vG7LLN | — | |
urlhttps://telegram-files.trustedfiles.org/?nash=2BC8BD579d&cloud_access=06c434ED64&tuid=efGVBj&folder=8057d1704f&cuid=3e12KE | — | |
urlhttps://telegram-files.trustedfiles.org/telegram/api/v1/file/111ea773e331412d06b1e8725df275f8/3e12KE/efGVBj/ | — | |
urlhttps://telegram-share.documtransfer.net/?folder=5f6a307A22&hash=4C90FCcEB9&cuid=VxBY1g&cloud_access=BEeB5A09Ad&tuid=2CbRT0 | — | |
urlhttps://tg-media.guardedcloud.net/?access_hash=ceFFc8F817&cuid=nghdRm&code=A824c7d9D3&tuid=SuCmHG | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion | — | |
domain3lfdhuojbznd4fmunkkzr2m5zbnaibwuyvenclsoxvapylqv4pdldqad.onion | — | |
domainamvlfdftchgyoie7femnnivsfnqzizrljm5rbixgsxpzgdavdtkhtlad.onion | — | |
domainbiavid.info | — | |
domainclgkhqmtssx4dgvhq5r4kb4anid4n375d2z5mqspuob3iyqvzyrxhoqd.onion | — | |
domaindocumshare.org | — | |
domaindocumtransfer.net | — | |
domainguardedcloud.net | — | |
domainsafedatabox.net | — | |
domaintrustedfiles.org | — | |
domaindocs-telegram.guardedcloud.net | — | |
domainsectgfiles.biavid.info | — | |
domaintelegram-files.trustedfiles.org | — | |
domaintelegram-share.documtransfer.net | — | |
domaintelegram.guardedcloud.net | — | |
domainteleinfo.safedatabox.net | — | |
domaintg-box.documshare.org | — | |
domaintg-media.guardedcloud.net | — |
Threat ID: 697b11634623b1157c786762
Added to database: 1/29/2026, 7:50:59 AM
Last enriched: 1/29/2026, 7:57:39 AM
Last updated: 1/30/2026, 2:18:46 AM
Views: 175
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
eScan confirms update server breached to push malicious update
MediumDissecting UAT-8099: New persistence mechanisms and regional focus
MediumCan't stop, won't stop: TA584 innovates initial access
MediumPureRAT: Attacker Now Using AI to Build Toolset
MediumPivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.