3 malware families

PseudoSticky

Also known asPseudoSticky

PseudoSticky is a newly reported threat actor active since at least November 2025. It has targeted Russian organizations while mimicking the tactics of the pro-Ukrainian threat actor Sticky Werewolf. Reported tooling used by PseudoSticky includes RemcosRAT and DarkTrack RAT. Reporting also notes the actor may have used LLMs to help develop attack chains. Known alias: “pseudosticky” (case variant of PseudoSticky).

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇷🇺 Russia

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001

Spearphishing Attachment

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DarkTrack RAT"...drop DarkTrack RAT via PureCrypter."1Mar 8, 2026

PureCrypter"...drop DarkTrack RAT via PureCrypter."1Mar 8, 2026

RemcosRAT"...to attack Russian organizations... with malware like RemcosRAT and DarkTrack RAT..."1Mar 8, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Feb 24, 2026

UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors

Threat actor conducting phishing campaigns against Russian organizations while deliberately mimicking Sticky Werewolf TTPs; delivers commodity RATs for data theft/remote control and is suspected of using LLMs to help develop attack chains (e.g., dropping DarkTrack RAT via PureCrypter).

risky biz rssNews

Feb 20, 2026

Risky Bulletin: RPKI infrastructure sits on shaky ground

Espionage-leaning activity cluster targeting Russian organizations while mimicking the TTPs of the Ukrainian group Sticky Werewolf; also uses LLMs operationally.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.