Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Massive offensive launched on Russian businesses

0
Medium
Published: 07/09/2026 (07/09/2026, 12:53:28 UTC)
Source: AlienVault OTX General

Description

In May and June 2026, the Clubfoot Wolf cluster executed a large-scale phishing campaign targeting Russian organizations across manufacturing, retail, e-commerce, agriculture, IT, transportation, healthcare, and science sectors, with primary focus on wholesale distributors of chemical products. Several Belarusian organizations were also compromised. The adversary sent phishing emails disguised as invoices or purchase requests, containing ZIP archives with decoy documents and malicious LNK files. Upon execution, a PowerShell script downloaded and installed NetSupport Manager, a legitimate remote administration tool, which was then used for malicious activities. The attackers employed URL shorteners to hide infrastructure and used multiple decoy files to build victim trust. The campaign demonstrated continuous evolution in delivery methods and infection chains.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 07:47:31 UTC

Technical Analysis

The Clubfoot Wolf cluster executed a widespread phishing campaign in mid-2026 targeting Russian and some Belarusian organizations across diverse industries, focusing on wholesale chemical distributors. The attack vector involved phishing emails with ZIP attachments containing decoy documents and malicious LNK files. When executed, these LNK files launched PowerShell scripts that downloaded and installed NetSupport Manager, a legitimate remote administration tool leveraged by the attackers for unauthorized remote access and control. The adversary employed URL shorteners to obscure command and control infrastructure and used multiple decoy files to increase victim trust. The campaign demonstrated adaptive delivery and infection techniques over time.

Potential Impact

The campaign enabled attackers to gain remote access to targeted organizations by abusing a legitimate remote administration tool, potentially allowing data theft, espionage, or further network compromise. The use of phishing and social engineering increased the likelihood of initial infection. The targeting of critical sectors such as manufacturing, chemical distribution, healthcare, and IT could have significant operational and economic impacts on affected organizations.

Mitigation Recommendations

No official patch or fix is applicable as this is a phishing and social engineering campaign leveraging legitimate software. Organizations should enhance phishing detection and user awareness training, implement email filtering to block malicious attachments, and monitor for unauthorized use of remote administration tools like NetSupport Manager. Restricting or monitoring PowerShell script execution and LNK file handling can reduce risk. Since no vendor advisory or patch is indicated, check relevant security advisories for updates on detection and prevention.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://bi-zone.medium.com/clubfoot-wolf-launches-massive-offensive-on-russian-businesses-5c2743ff2ebd"]
Adversary
Clubfoot Wolf
Pulse Id
6a4f99c8656ebbe895c7e9e5
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainimhfamily.com
domainfleepsterones.fun

Hash

ValueDescriptionCopy
hashb24b8d96ebea10cb7e9ffb73256cc46f9041123e7c2cc26fe92d355a8378a87c
hash490585f82a0ddaafd9eead803859e06dafc0219a5bd1c08482c98f3d37eec231
hash31b0f515012355e104a1e4f10baff85c3066a037f17272ce9c2445fd8377a96a
hash38d96dd1c26a7a98c8b55c925863d0f5c8c099a73192c65e3a1e47ea636d3d29
hash1e5c289739f75271e0f5136b93d0dae7
hash56cc6b8260c676dca2ee4e4ef4785373
hash5c56fd9d306a62642cfe6c6b3989efdd
hash909194b6162b9c1c4e4e88dc1e8d4c9a
hash9cc761eefd1cd30408a4328aec6ea511
hashc9386d789015d30f85546d04c1331f60
hashce89b9cb3ba97432bc7d06c72e9149b0
hashddc68b4d2612db3c44f3590ee3603eb6
hashfc00460dda7b44a1fea71cf24f4cfa6d
hash44785a4297a233cf36adbe1ac7cb0523372d1338
hash54ba6a4ee9d006f60e74c3fc749d6ece9ae7e90d
hash6a495bafab006d577bebd4ef1ec026cda1d360b2
hash82c03c4ee142e862da2e736c691caa65fecc2acb
hashba33bbe881c02e628ea8f2751749ee9afb4c2441
hashc65f5d8b9072aefafeee73227610f4082843762a
hashc8d51044d37f247937616adb489836c62b25b599
hashd1813eb15ed321fc7fa4e1c8c0552a02fc789d69
hashfbdb66de614bd41a1d68f3fa0abc85fb092b28bc
hash03dbaee9cbc05abb6a35fd7804dcf7e83e0675da40eabcfd161d1d6b387363b3
hash0c2947904711ef63ac3cc24ba2e7a059e318dc219d14eeaebb6b46fd277f7f3d
hash100e0ca51a6a25efac16627be80c7ce992a5506470136e43cb8b24d8828ba82b
hash11ad9f6c235ea561317d89590fa41d75348019850735b998b60661635ad99e9a
hash20c8fd700796b80ea093e23ec812943adfc63c3b8653bb09b581fd7f4127c652
hash3325be6c18c35b66e7f527950af97a4235e04d026a81780c135d6cec3f8245db
hash41c1b4b09cb3185075f57befd5278119ee0a952418144779898378f0963897e9
hash45154678b808a70316f0172a5012ffdfc7d7ddcde856440099fcdbad64e84ddb
hash4972b6583645d28600f076e73def05890b54a9d98c8b328d61f421c79a021db6
hash53c6a0a51ef3cf9d38034a7600c94e1ae3968dbec5bbb5d9fdcd26764c6b30e2
hash644ad315071324e7f86e9b04dfc7dae515ca1a7ae386b21207c4ab38d1a164d6
hash6478585efed46b0616ca201c51464de7af5ba8985c3b948f9b67db09cbd62e97
hash6a8dfd602daa3b9dc2ceb146837a7966a37af8ab224ed11478e1f6d87f375b7f
hash73bd4f12f3e7d155dfbcb6d016b99d40cce8554964ecc51de40b70fab3a4c3a5
hash79f169be997f883ef02559a0af3f014f63c1c0308931913decd79c0aafaf659f
hash7b6f6fe88ff9d953965e81b1bed256528c93ff159156bc17b8811d7cfd5dfe47
hash7f58b98e9d4b2d06dadef2b8656d337283118a135806dd711fb9de51ca63911d
hash82671b7f09811ff38b3cab186776d06cc9e89d434080f1eb26fa1c35767eaca5
hash8fde3f60f9ae901a9fa04888d3050c9a65fb63722a4b41a6d6ad7d38183c37d5
hash9fa461bd75788d27ceb778dc0f9773d641e804b3e10103c482ba4747153178f8
hashaedcfbac94161f74b2ce63ad9da2f613809860fc8aa09d6ea0b57e964c47f8a8
hashb2e8f9f9a69c1be0d1814b064b73586afbf730e2ab9d9fb10dd5711be4febe85
hashb38032f5b2059cacc28246dd0b739e19b6a68daf34add740d5ce6be87354b498
hashb90a7f17b5406db3ee17ec4bc82a704c6128b4ad8652776b4f55bc3948fa8385
hashbea07bc2359e8f3ce914b0027b5548ae58c9a019f330446b2c81050cd9ca1b0d
hashbed54c819cc8ff502fff41f6d9c726836b6086c9afdd47f2261809196c973c38
hashc5a1dee1ae7f0a04dfa91481d0c1d5ad5c887a77e657def8878af600a98fd8c6
hashc709c30074155f8f0a431828c23cc08df6959505051578ec28659a47a4da2fa6
hashcdf7c97cfb494ade90886765606294db0b98a2576bc1d152bc8c4ec97672b687
hashcee0ad69647d4840013e836b657d8fd79b9be7389ccbc70e15c5cb96bf926f8a
hashd3c90e61c3ffa059658c36e39334cb38c0b23cbde46f5078705fcfad67c9f3d8
hashe20c0900513551265dda37ce5334c71f5b0e8b20e19f9d8391f77987e2458f20
hashf15e4e140fceeb393bcb2c8d61a2333b37c30270527b5c48d8440e3ec1e02ae4
hashfa07773b3af0539442504f86973fe2a68e040f80ebea388c5ed62d8f94eddb6a
hashfa877d45432e7712d1832508c77f063958a5cec05038152eb2be5e79992c3966
hashfb25a19a74bc7549f5e4e1f299886fb09a9d5b4fd4599c5a9b7f2d534ce71691

Url

ValueDescriptionCopy
urlhttps://sunlightfriends.tech/latest/news
urlhttp://akiliridge.com:1414
urlhttp://glowstickspro.com:1411
urlhttp://imhfamily.com:1414
urlhttp://stillpaving.com:1411
urlhttps://fleepsterones.fun/content/articles
urlhttps://fleepsterones.fun/fashion/week
urlhttps://fleepsterones.fun/media/like
urlhttps://sunlightfriends.tech/beauty/series
urlhttps://sunlightfriends.tech/health/shampoo
urlhttps://sunlightfriends.tech/learning/portal
urlhttps://sunlightfriends.tech/monthly/horoscope
urlhttps://sunlightfriends.tech/nature/today
urlhttps://sunlightfriends.tech/weather/news
urlhttps://sunlightfriends.tech/weekly/forecast
urlhttps://sunlightfriends.tech/world/library

Threat ID: 6a50a01268715ace433595d9

Added to database: 07/10/2026, 07:32:34 UTC

Last enriched: 07/10/2026, 07:47:31 UTC

Last updated: 07/10/2026, 07:48:08 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses