Versatile Werewolf

Versatile Werewolf is a threat cluster observed distributing malware through fake software themed around Starlink terminal management and UAV/drone pilot training. In the reported campaigns, it used stardebug[.]app to distribute the malicious MSI installer StarDebug_1.0.1.msi, masquerading as an alternative Starlink terminal management application, and alphafly-drones[.]com to distribute AlphaFlyInstallV1-2.msi, a fake UAV training application that mimicked betaflight.com and reused media from obriy[.]airforce. In the StarDebug campaign, the MSI dropped run-script.ps1, helper.vbs, and installer.exe into %LOCALAPPDATA%\Star. The infection chain used PowerShell, VBS, and a .NET loader to unpack Fondue.exe and a malicious appwiz.cpl, then used DLL side-loading to load the malicious appwiz.cpl into Fondue.exe and deploy a Sliver implant in memory. The malicious appwiz.cpl was reported as packed with UPX and obfuscated with Oreans Code Virtualizer. The Sliver implant contacted curtainbeatdisturbance[.]com, created the mutex MediumTurquoiseBeige, and persistence was established via a scheduled task named in the format MicrosoftEdgeUpdateTaskMachineUA{GUID} that launched fondue.exe -Embedding every minute. In the AlphaFly campaign, the MSI dropped a PowerShell loader and VBS launcher into %LOCALAPPDATA%\AlphaFlyNew and displayed a fake installation error as a decoy. The infection chain downloaded Node.js if needed, executed an obfuscated JavaScript loader, and fetched the final payload from newfolder[.]click. The final payload was SoullessRAT, an obfuscated JavaScript RAT previously observed in earlier Versatile Werewolf attacks. Reported SoullessRAT capabilities included file upload and download, module loading, Outlook data theft, system reconnaissance, PowerShell command execution, screenshot capture, directory or file listing, logical volume enumeration, and self-termination. Known alias in the provided content: versatile_werewolf.