Versatile Werewolf

Versatile Werewolf is a threat cluster tracked in campaigns using Starlink- and drone-themed lures to distribute malware, with targeting focused primarily on government organizations, military personnel, and individuals involved in drone manufacturing and engineering, consistent with espionage objectives. Known aliases in the provided content: versatile_werewolf / Versatile Werewolf. The cluster used malicious MSI installers masquerading as legitimate applications, including StarDebug_1.0.1.msi presented as an alternative Starlink terminal management application and AlphaFlyInstallV1-2.msi presented as a drone pilot training application. Distribution infrastructure directly mentioned in the content includes stardebug[.]app and alphafly-drones[.]com; the AlphaFly site mimicked betaflight.com and reused media from obriy[.]airforce. One observed intrusion chain used a multi-stage loader involving PowerShell, VBS, and a .NET loader, followed by an inner Inno Setup installer, to stage Fondue.exe together with a malicious APPWIZ.cpl in a hidden %PROGRAMDATA% directory. The actor abused the legitimate Windows utility Fondue.exe for DLL side-loading, causing it to load the rogue APPWIZ.cpl. The malicious APPWIZ.cpl was described as packed with UPX and protected with Oreans Code Virtualizer. When loaded, it deployed a Sliver implant in memory. The Sliver implant communicated with curtainbeatdisturbance[.]com, created the mutex MediumTurquoiseBeige, and established persistence via a scheduled task named in the format MicrosoftEdgeUpdateTaskMachineUA{GUID} that executed fondue.exe every minute. A second observed chain used the fake AlphaFly installer to drop a PowerShell loader and VBS launcher, display a decoy installation error, download Node.js if needed, and execute an obfuscated JavaScript loader that retrieved the final payload from newfolder[.]click. That payload was SoullessRAT, a JavaScript-based RAT previously linked in the content to the same cluster and reportedly written using generative AI. SoullessRAT capabilities directly mentioned in the content include remote command execution, file upload and download, screenshot capture, system information harvesting, Outlook data theft, directory or file listing, logical volume enumeration, module loading, and self-termination. The content explicitly links Versatile Werewolf to the Fondue.exe side-loading campaign and to SoullessRAT delivery, and notes the cluster has been observed using generative AI to accelerate development of its attack tools.