Russian government and defense institutions are the target of a new cyber espionage cluster that has just surfaced This article explores systems phishing. . The group, known as Vortex Werewolf, has been active since at least December 2025 and uses a mix of social engineering and genuine software tools to compromise secure networks.

Find out more about malware Network of Zero Trust Get access to solutions Evaluation of cybersecurity vulnerabilities Feeds of threat intelligence Articles from ZeroOwl Take advantage of Cyber Cybersecurity modules for hardware Consulting services for cybersecurity It seems that their main goal is to use anonymized protocols to gain continuous, secret remote access to sensitive systems. Phishing emails that trick recipients into clicking on harmful links are usually the first step in an attack. These scams imitate authentic file-sharing alerts, frequently posing as Telegram or other reliable platforms.

The infection chain starts when a victim interacts with the bait, which results in the use of tools made to get past common network security measures. By setting up file transfer and remote desktop protocols to reroute traffic through the Tor network, the malware makes it easier for unauthorized users to take control. Early in 2026, BI.ZONE researchers discovered this activity cluster, emphasizing the group's distinct operational strategies.

This adversary uses particular obfuscation bridges for command and control communications, but it shares some behavioral traits with other threat actors, such as Core Werewolf. Phishing page prompt for a confirmation code (Source: Medium) A successful breach would have a huge impact because it would allow attackers to carry out commands and move files using RDP, SMB, SFTP, and SSH while staying hidden behind Tor Hidden Services.

The attackers use persistence mechanisms that endure system reboots in order to keep their foothold in compromised environments. Find out more Cyberexploitation Control of computer access Solutions for network security Network of Zero Trust Get access to solutions Software for data security MacOS security software is fed threat intelligence. The Cyber Server To make sure that the Tor client and SSH server start up automatically, the malware sets up scheduled tasks in the Windows operating system.

With this configuration, the threat actors can maintain permanent access to the victim's infrastructure, allowing them to steal information or switch to other vital systems whenever they want without setting off instant alerts. Phishing Techniques and the Mechanism of Infection The infection process is characterized by a high degree of social engineering sophistication designed to steal user credentials before delivering the payload.

Phishing page HTML code (Source: Medium) Upon clicking the first phishing link, a user is taken to a fake website that mimics the look and feel of a Telegram file download portal. This website successfully takes over the victim's active session by asking them to enter their phone number and the ensuing login confirmation code. Once the phishing page has successfully obtained the victim's session information, it directs the user to a trustworthy file hosting service, like Dropbox, where they can download a malicious ZIP file.

Notification of successful user authentication and file download (Source: Medium) There is a malicious LNK file in this archive that, when run, launches a PowerShell script.

Before installing the Tor and OpenSSH components needed for the encrypted command tunnel, this script runs checks to avoid sandbox environments. It is recommended that businesses use strong email filtering systems that use machine learning to identify phishing anomalies and spoof links. Security teams should block traffic to known malicious domains and rigorously check the destination of all incoming URLs.

Additionally, for early threat detection, network logs must be continuously monitored for unauthorized Tor or SSH connections. To receive more real-time updates, add ZeroOwl as a preferred source in Google and follow X, LinkedIn, and X.