Russian President Vladimir Putin looks out on St. Petersburg with Gazprom chairman Alexei Miller. Credit: Press service of the President of Russia

Sapphire Werewolf hackers spy on Russian education, defense and aerospace industries

A hacker group dubbed Sapphire Werewolf has attacked more than 300 Russian companies over the past three months using the Amethyst infostealer, researchers have found.

The group’s targets include the Russian education, manufacturing, tech, defense, and aerospace engineering industries. It is not clear who is behind the group and whether it is state-sponsored or financially motivated.

The Russian cyber company BI.ZONE has been tracking Sapphire Werewolf’s activity since March. The group’s Amethyst tool, according to researchers, is an offshoot of the open-source SapphireStealer.

Once inside the system, Amethyst can collect Telegram configuration files, password and cookie databases, browser and popular website histories, saved pages and configurations from browsers, as well as PowerShell logs.

The hackers deliver the malware to victims’ devices through phishing emails disguised as official decrees, including those from the Central Election Committee or even from Russian President Vladimir Putin.

It is not clear how effective Sapphire Werewolf’s campaigns are or how they use the obtained data. Researchers have noticed that the group’s malware hasevolved. Just three months ago, the stealer didn’t have “any mechanisms for achieving persistence in the compromised system” and only collected “a limited set of data.”

Reports about cyberattacks inside Russia are rare and often published exclusively by local cyber companies since Western firms have limited visibility in the region.

Earlier this week, another Russian firm, Positive Technologies — which was sanctioned by the U.S. for providing technology to Russian intelligence services — published a report about a state-sponsored group called HellHounds that targeted Russian power companies, tech businesses, government agencies, the space industry, and telecom providers with Decoy Dog malware.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.