Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Vortex Werewolf

Also known asvortex_werewolf

Vortex Werewolf is a cyber-espionage activity cluster targeting Russian government and defense organizations, with additional targeting reported in Belarus, active since at least December 2025. The cluster conducts phishing campaigns using lures that mimic legitimate file-sharing notifications (often themed as Telegram). Victims are directed to a fake Telegram download portal designed to capture phone numbers and login confirmation codes and hijack active sessions, then redirected to legitimate file-hosting services (e.g., Dropbox) to retrieve a malicious ZIP archive. The ZIP contains a weaponized Windows LNK that launches PowerShell, performs sandbox-evasion checks, and installs Tor and OpenSSH to establish persistent, covert remote access. The operators use Tor (including Tor Hidden Services) to anonymize command-and-control and route remote administration and file transfer over RDP, SMB, SFTP, and SSH, and they implement persistence via Windows scheduled tasks to auto-launch the Tor client and SSH server. The campaign was previously reported in November 2025 by Cyble and Seqrite Labs (as “Operation SkyCloak”), and BI.ZONE reported identifying the cluster in early 2026, noting behavioral similarities to Core Werewolf but with distinct obfuscation/bridging for C2 communications.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics19 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002
Spearphishing Link
TA0002
Execution
3 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0004
Privilege Escalation
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0005
Stealth
1 technique
T1497
Virtualization/Sandbox Evasion
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
TA0008
Lateral Movement
1 technique
T1021×2
Remote Services
T1021.002
SMB/Windows Admin Shares
TA0011
Command and Control
2 techniques
T1090
Proxy
T1090.003×2
Multi-hop Proxy
T1105
Ingress Tool Transfer
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Targets Russia and Belarus with the goal of establishing persistent remote access by deploying Tor and OpenSSH; campaign also referred to as Operation SkyCloak by Seqrite Labs.

Read more
the hacker newsNews
Feb 9, 2026
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Targets Russia and Belarus with the objective of establishing persistent remote access by deploying Tor and OpenSSH; campaign also referred to as Operation SkyCloak by Seqrite Labs.

Read more
cyber security newsNews
Feb 9, 2026
Vortex Werewolf Attacking Organizations to Gain Tor-Enabled Remote Access Over the RDP, SMB, SFTP, and SSH Protocols

Cyber-espionage activity cluster targeting Russian government and defense entities via phishing and social engineering to establish persistent covert remote access. Uses legitimate utilities (Tor, OpenSSH) and Windows scheduled tasks to maintain access and route C2/remote administration over Tor Hidden Services, enabling command execution and file transfer over RDP/SMB/SFTP/SSH.

Read more
risky biz rssNews
Feb 9, 2026
Risky Bulletin: SmarterTools hacked via its own product

Intrusion activity targeting Russian government and defense organizations over a recent two-month period (details of tooling/TTPs not provided in the excerpt).

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.