Massive offensive launched on Russian businesses
In May and June 2026, the Clubfoot Wolf cluster executed a large-scale phishing campaign targeting Russian organizations across manufacturing, retail, e-commerce, agriculture, IT, transportation, healthcare, and science sectors, with primary focus on wholesale distributors of chemical products. Several Belarusian organizations were also compromised. The adversary sent phishing emails disguised as invoices or purchase requests, containing ZIP archives with decoy documents and malicious LNK files. Upon execution, a PowerShell script downloaded and installed NetSupport Manager, a legitimate remote administration tool, which was then used for malicious activities. The attackers employed URL shorteners to hide infrastructure and used multiple decoy files to build victim trust. The campaign demonstrated continuous evolution in delivery methods and infection chains.
AI Analysis
Technical Summary
The Clubfoot Wolf cluster executed a widespread phishing campaign in mid-2026 targeting Russian and some Belarusian organizations across diverse industries, focusing on wholesale chemical distributors. The attack vector involved phishing emails with ZIP attachments containing decoy documents and malicious LNK files. When executed, these LNK files launched PowerShell scripts that downloaded and installed NetSupport Manager, a legitimate remote administration tool leveraged by the attackers for unauthorized remote access and control. The adversary employed URL shorteners to obscure command and control infrastructure and used multiple decoy files to increase victim trust. The campaign demonstrated adaptive delivery and infection techniques over time.
Potential Impact
The campaign enabled attackers to gain remote access to targeted organizations by abusing a legitimate remote administration tool, potentially allowing data theft, espionage, or further network compromise. The use of phishing and social engineering increased the likelihood of initial infection. The targeting of critical sectors such as manufacturing, chemical distribution, healthcare, and IT could have significant operational and economic impacts on affected organizations.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing and social engineering campaign leveraging legitimate software. Organizations should enhance phishing detection and user awareness training, implement email filtering to block malicious attachments, and monitor for unauthorized use of remote administration tools like NetSupport Manager. Restricting or monitoring PowerShell script execution and LNK file handling can reduce risk. Since no vendor advisory or patch is indicated, check relevant security advisories for updates on detection and prevention.
Affected Countries
Russia, Belarus
Indicators of Compromise
- domain: imhfamily.com
- hash: b24b8d96ebea10cb7e9ffb73256cc46f9041123e7c2cc26fe92d355a8378a87c
- domain: fleepsterones.fun
- hash: 490585f82a0ddaafd9eead803859e06dafc0219a5bd1c08482c98f3d37eec231
- hash: 31b0f515012355e104a1e4f10baff85c3066a037f17272ce9c2445fd8377a96a
- url: https://sunlightfriends.tech/latest/news
- hash: 38d96dd1c26a7a98c8b55c925863d0f5c8c099a73192c65e3a1e47ea636d3d29
- hash: 1e5c289739f75271e0f5136b93d0dae7
- hash: 56cc6b8260c676dca2ee4e4ef4785373
- hash: 5c56fd9d306a62642cfe6c6b3989efdd
- hash: 909194b6162b9c1c4e4e88dc1e8d4c9a
- hash: 9cc761eefd1cd30408a4328aec6ea511
- hash: c9386d789015d30f85546d04c1331f60
- hash: ce89b9cb3ba97432bc7d06c72e9149b0
- hash: ddc68b4d2612db3c44f3590ee3603eb6
- hash: fc00460dda7b44a1fea71cf24f4cfa6d
- hash: 44785a4297a233cf36adbe1ac7cb0523372d1338
- hash: 54ba6a4ee9d006f60e74c3fc749d6ece9ae7e90d
- hash: 6a495bafab006d577bebd4ef1ec026cda1d360b2
- hash: 82c03c4ee142e862da2e736c691caa65fecc2acb
- hash: ba33bbe881c02e628ea8f2751749ee9afb4c2441
- hash: c65f5d8b9072aefafeee73227610f4082843762a
- hash: c8d51044d37f247937616adb489836c62b25b599
- hash: d1813eb15ed321fc7fa4e1c8c0552a02fc789d69
- hash: fbdb66de614bd41a1d68f3fa0abc85fb092b28bc
- hash: 03dbaee9cbc05abb6a35fd7804dcf7e83e0675da40eabcfd161d1d6b387363b3
- hash: 0c2947904711ef63ac3cc24ba2e7a059e318dc219d14eeaebb6b46fd277f7f3d
- hash: 100e0ca51a6a25efac16627be80c7ce992a5506470136e43cb8b24d8828ba82b
- hash: 11ad9f6c235ea561317d89590fa41d75348019850735b998b60661635ad99e9a
- hash: 20c8fd700796b80ea093e23ec812943adfc63c3b8653bb09b581fd7f4127c652
- hash: 3325be6c18c35b66e7f527950af97a4235e04d026a81780c135d6cec3f8245db
- hash: 41c1b4b09cb3185075f57befd5278119ee0a952418144779898378f0963897e9
- hash: 45154678b808a70316f0172a5012ffdfc7d7ddcde856440099fcdbad64e84ddb
- hash: 4972b6583645d28600f076e73def05890b54a9d98c8b328d61f421c79a021db6
- hash: 53c6a0a51ef3cf9d38034a7600c94e1ae3968dbec5bbb5d9fdcd26764c6b30e2
- hash: 644ad315071324e7f86e9b04dfc7dae515ca1a7ae386b21207c4ab38d1a164d6
- hash: 6478585efed46b0616ca201c51464de7af5ba8985c3b948f9b67db09cbd62e97
- hash: 6a8dfd602daa3b9dc2ceb146837a7966a37af8ab224ed11478e1f6d87f375b7f
- hash: 73bd4f12f3e7d155dfbcb6d016b99d40cce8554964ecc51de40b70fab3a4c3a5
- hash: 79f169be997f883ef02559a0af3f014f63c1c0308931913decd79c0aafaf659f
- hash: 7b6f6fe88ff9d953965e81b1bed256528c93ff159156bc17b8811d7cfd5dfe47
- hash: 7f58b98e9d4b2d06dadef2b8656d337283118a135806dd711fb9de51ca63911d
- hash: 82671b7f09811ff38b3cab186776d06cc9e89d434080f1eb26fa1c35767eaca5
- hash: 8fde3f60f9ae901a9fa04888d3050c9a65fb63722a4b41a6d6ad7d38183c37d5
- hash: 9fa461bd75788d27ceb778dc0f9773d641e804b3e10103c482ba4747153178f8
- hash: aedcfbac94161f74b2ce63ad9da2f613809860fc8aa09d6ea0b57e964c47f8a8
- hash: b2e8f9f9a69c1be0d1814b064b73586afbf730e2ab9d9fb10dd5711be4febe85
- hash: b38032f5b2059cacc28246dd0b739e19b6a68daf34add740d5ce6be87354b498
- hash: b90a7f17b5406db3ee17ec4bc82a704c6128b4ad8652776b4f55bc3948fa8385
- hash: bea07bc2359e8f3ce914b0027b5548ae58c9a019f330446b2c81050cd9ca1b0d
- hash: bed54c819cc8ff502fff41f6d9c726836b6086c9afdd47f2261809196c973c38
- hash: c5a1dee1ae7f0a04dfa91481d0c1d5ad5c887a77e657def8878af600a98fd8c6
- hash: c709c30074155f8f0a431828c23cc08df6959505051578ec28659a47a4da2fa6
- hash: cdf7c97cfb494ade90886765606294db0b98a2576bc1d152bc8c4ec97672b687
- hash: cee0ad69647d4840013e836b657d8fd79b9be7389ccbc70e15c5cb96bf926f8a
- hash: d3c90e61c3ffa059658c36e39334cb38c0b23cbde46f5078705fcfad67c9f3d8
- hash: e20c0900513551265dda37ce5334c71f5b0e8b20e19f9d8391f77987e2458f20
- hash: f15e4e140fceeb393bcb2c8d61a2333b37c30270527b5c48d8440e3ec1e02ae4
- hash: fa07773b3af0539442504f86973fe2a68e040f80ebea388c5ed62d8f94eddb6a
- hash: fa877d45432e7712d1832508c77f063958a5cec05038152eb2be5e79992c3966
- hash: fb25a19a74bc7549f5e4e1f299886fb09a9d5b4fd4599c5a9b7f2d534ce71691
- url: http://akiliridge.com:1414
- url: http://glowstickspro.com:1411
- url: http://imhfamily.com:1414
- url: http://stillpaving.com:1411
- url: https://fleepsterones.fun/content/articles
- url: https://fleepsterones.fun/fashion/week
- url: https://fleepsterones.fun/media/like
- url: https://sunlightfriends.tech/beauty/series
- url: https://sunlightfriends.tech/health/shampoo
- url: https://sunlightfriends.tech/learning/portal
- url: https://sunlightfriends.tech/monthly/horoscope
- url: https://sunlightfriends.tech/nature/today
- url: https://sunlightfriends.tech/weather/news
- url: https://sunlightfriends.tech/weekly/forecast
- url: https://sunlightfriends.tech/world/library
Massive offensive launched on Russian businesses
Description
In May and June 2026, the Clubfoot Wolf cluster executed a large-scale phishing campaign targeting Russian organizations across manufacturing, retail, e-commerce, agriculture, IT, transportation, healthcare, and science sectors, with primary focus on wholesale distributors of chemical products. Several Belarusian organizations were also compromised. The adversary sent phishing emails disguised as invoices or purchase requests, containing ZIP archives with decoy documents and malicious LNK files. Upon execution, a PowerShell script downloaded and installed NetSupport Manager, a legitimate remote administration tool, which was then used for malicious activities. The attackers employed URL shorteners to hide infrastructure and used multiple decoy files to build victim trust. The campaign demonstrated continuous evolution in delivery methods and infection chains.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Clubfoot Wolf cluster executed a widespread phishing campaign in mid-2026 targeting Russian and some Belarusian organizations across diverse industries, focusing on wholesale chemical distributors. The attack vector involved phishing emails with ZIP attachments containing decoy documents and malicious LNK files. When executed, these LNK files launched PowerShell scripts that downloaded and installed NetSupport Manager, a legitimate remote administration tool leveraged by the attackers for unauthorized remote access and control. The adversary employed URL shorteners to obscure command and control infrastructure and used multiple decoy files to increase victim trust. The campaign demonstrated adaptive delivery and infection techniques over time.
Potential Impact
The campaign enabled attackers to gain remote access to targeted organizations by abusing a legitimate remote administration tool, potentially allowing data theft, espionage, or further network compromise. The use of phishing and social engineering increased the likelihood of initial infection. The targeting of critical sectors such as manufacturing, chemical distribution, healthcare, and IT could have significant operational and economic impacts on affected organizations.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing and social engineering campaign leveraging legitimate software. Organizations should enhance phishing detection and user awareness training, implement email filtering to block malicious attachments, and monitor for unauthorized use of remote administration tools like NetSupport Manager. Restricting or monitoring PowerShell script execution and LNK file handling can reduce risk. Since no vendor advisory or patch is indicated, check relevant security advisories for updates on detection and prevention.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://bi-zone.medium.com/clubfoot-wolf-launches-massive-offensive-on-russian-businesses-5c2743ff2ebd"]
- Adversary
- Clubfoot Wolf
- Pulse Id
- 6a4f99c8656ebbe895c7e9e5
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainimhfamily.com | — | |
domainfleepsterones.fun | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashb24b8d96ebea10cb7e9ffb73256cc46f9041123e7c2cc26fe92d355a8378a87c | — | |
hash490585f82a0ddaafd9eead803859e06dafc0219a5bd1c08482c98f3d37eec231 | — | |
hash31b0f515012355e104a1e4f10baff85c3066a037f17272ce9c2445fd8377a96a | — | |
hash38d96dd1c26a7a98c8b55c925863d0f5c8c099a73192c65e3a1e47ea636d3d29 | — | |
hash1e5c289739f75271e0f5136b93d0dae7 | — | |
hash56cc6b8260c676dca2ee4e4ef4785373 | — | |
hash5c56fd9d306a62642cfe6c6b3989efdd | — | |
hash909194b6162b9c1c4e4e88dc1e8d4c9a | — | |
hash9cc761eefd1cd30408a4328aec6ea511 | — | |
hashc9386d789015d30f85546d04c1331f60 | — | |
hashce89b9cb3ba97432bc7d06c72e9149b0 | — | |
hashddc68b4d2612db3c44f3590ee3603eb6 | — | |
hashfc00460dda7b44a1fea71cf24f4cfa6d | — | |
hash44785a4297a233cf36adbe1ac7cb0523372d1338 | — | |
hash54ba6a4ee9d006f60e74c3fc749d6ece9ae7e90d | — | |
hash6a495bafab006d577bebd4ef1ec026cda1d360b2 | — | |
hash82c03c4ee142e862da2e736c691caa65fecc2acb | — | |
hashba33bbe881c02e628ea8f2751749ee9afb4c2441 | — | |
hashc65f5d8b9072aefafeee73227610f4082843762a | — | |
hashc8d51044d37f247937616adb489836c62b25b599 | — | |
hashd1813eb15ed321fc7fa4e1c8c0552a02fc789d69 | — | |
hashfbdb66de614bd41a1d68f3fa0abc85fb092b28bc | — | |
hash03dbaee9cbc05abb6a35fd7804dcf7e83e0675da40eabcfd161d1d6b387363b3 | — | |
hash0c2947904711ef63ac3cc24ba2e7a059e318dc219d14eeaebb6b46fd277f7f3d | — | |
hash100e0ca51a6a25efac16627be80c7ce992a5506470136e43cb8b24d8828ba82b | — | |
hash11ad9f6c235ea561317d89590fa41d75348019850735b998b60661635ad99e9a | — | |
hash20c8fd700796b80ea093e23ec812943adfc63c3b8653bb09b581fd7f4127c652 | — | |
hash3325be6c18c35b66e7f527950af97a4235e04d026a81780c135d6cec3f8245db | — | |
hash41c1b4b09cb3185075f57befd5278119ee0a952418144779898378f0963897e9 | — | |
hash45154678b808a70316f0172a5012ffdfc7d7ddcde856440099fcdbad64e84ddb | — | |
hash4972b6583645d28600f076e73def05890b54a9d98c8b328d61f421c79a021db6 | — | |
hash53c6a0a51ef3cf9d38034a7600c94e1ae3968dbec5bbb5d9fdcd26764c6b30e2 | — | |
hash644ad315071324e7f86e9b04dfc7dae515ca1a7ae386b21207c4ab38d1a164d6 | — | |
hash6478585efed46b0616ca201c51464de7af5ba8985c3b948f9b67db09cbd62e97 | — | |
hash6a8dfd602daa3b9dc2ceb146837a7966a37af8ab224ed11478e1f6d87f375b7f | — | |
hash73bd4f12f3e7d155dfbcb6d016b99d40cce8554964ecc51de40b70fab3a4c3a5 | — | |
hash79f169be997f883ef02559a0af3f014f63c1c0308931913decd79c0aafaf659f | — | |
hash7b6f6fe88ff9d953965e81b1bed256528c93ff159156bc17b8811d7cfd5dfe47 | — | |
hash7f58b98e9d4b2d06dadef2b8656d337283118a135806dd711fb9de51ca63911d | — | |
hash82671b7f09811ff38b3cab186776d06cc9e89d434080f1eb26fa1c35767eaca5 | — | |
hash8fde3f60f9ae901a9fa04888d3050c9a65fb63722a4b41a6d6ad7d38183c37d5 | — | |
hash9fa461bd75788d27ceb778dc0f9773d641e804b3e10103c482ba4747153178f8 | — | |
hashaedcfbac94161f74b2ce63ad9da2f613809860fc8aa09d6ea0b57e964c47f8a8 | — | |
hashb2e8f9f9a69c1be0d1814b064b73586afbf730e2ab9d9fb10dd5711be4febe85 | — | |
hashb38032f5b2059cacc28246dd0b739e19b6a68daf34add740d5ce6be87354b498 | — | |
hashb90a7f17b5406db3ee17ec4bc82a704c6128b4ad8652776b4f55bc3948fa8385 | — | |
hashbea07bc2359e8f3ce914b0027b5548ae58c9a019f330446b2c81050cd9ca1b0d | — | |
hashbed54c819cc8ff502fff41f6d9c726836b6086c9afdd47f2261809196c973c38 | — | |
hashc5a1dee1ae7f0a04dfa91481d0c1d5ad5c887a77e657def8878af600a98fd8c6 | — | |
hashc709c30074155f8f0a431828c23cc08df6959505051578ec28659a47a4da2fa6 | — | |
hashcdf7c97cfb494ade90886765606294db0b98a2576bc1d152bc8c4ec97672b687 | — | |
hashcee0ad69647d4840013e836b657d8fd79b9be7389ccbc70e15c5cb96bf926f8a | — | |
hashd3c90e61c3ffa059658c36e39334cb38c0b23cbde46f5078705fcfad67c9f3d8 | — | |
hashe20c0900513551265dda37ce5334c71f5b0e8b20e19f9d8391f77987e2458f20 | — | |
hashf15e4e140fceeb393bcb2c8d61a2333b37c30270527b5c48d8440e3ec1e02ae4 | — | |
hashfa07773b3af0539442504f86973fe2a68e040f80ebea388c5ed62d8f94eddb6a | — | |
hashfa877d45432e7712d1832508c77f063958a5cec05038152eb2be5e79992c3966 | — | |
hashfb25a19a74bc7549f5e4e1f299886fb09a9d5b4fd4599c5a9b7f2d534ce71691 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://sunlightfriends.tech/latest/news | — | |
urlhttp://akiliridge.com:1414 | — | |
urlhttp://glowstickspro.com:1411 | — | |
urlhttp://imhfamily.com:1414 | — | |
urlhttp://stillpaving.com:1411 | — | |
urlhttps://fleepsterones.fun/content/articles | — | |
urlhttps://fleepsterones.fun/fashion/week | — | |
urlhttps://fleepsterones.fun/media/like | — | |
urlhttps://sunlightfriends.tech/beauty/series | — | |
urlhttps://sunlightfriends.tech/health/shampoo | — | |
urlhttps://sunlightfriends.tech/learning/portal | — | |
urlhttps://sunlightfriends.tech/monthly/horoscope | — | |
urlhttps://sunlightfriends.tech/nature/today | — | |
urlhttps://sunlightfriends.tech/weather/news | — | |
urlhttps://sunlightfriends.tech/weekly/forecast | — | |
urlhttps://sunlightfriends.tech/world/library | — |
Threat ID: 6a50a01268715ace433595d9
Added to database: 07/10/2026, 07:32:34 UTC
Last enriched: 07/10/2026, 07:47:31 UTC
Last updated: 07/10/2026, 07:48:08 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.