Fluffy Wolf
Fluffy Wolf is a threat actor observed conducting phishing-led intrusions against Russian organizations. Between March and May 2026, BI.ZONE Threat Intelligence reported campaigns targeting companies in construction, consulting, engineering, retail, e-commerce, manufacturing/industry, using emails themed as outstanding debts, reconciliation statements, claims, and other business communications, often impersonating partners or contractors. The actor used malicious RAR archives delivered either directly as attachments or via GitHub repository links to improve legitimacy and evade email filtering and other defenses. In the reported campaigns, Fluffy Wolf used loaders and droppers to deliver PureLogs, PureRAT, and Pay2Key ransomware. The group continued using PureCrypter and Rust-based loaders running Donut shellcode, and introduced PowerLoader, an undocumented C++ downloader sold as a malware-as-a-service offering. PowerLoader operated largely filelessly, launched hidden PowerShell instances, retrieved scripts from command-and-control infrastructure, and downloaded PureCrypter to deploy final payloads. Payloads were injected into legitimate Windows processes including RegAsm.exe, InstallUtil.exe, and MSBuild.exe. Observed post-compromise tooling included PureLogs, which stole browser credentials, cookies, search or browser history, application data, and email client data; researchers also noted that stolen data was categorized and sent to separate server endpoints. Fluffy Wolf also used PureRAT, including a version with the PluginRemoteDesktop module, which BI.ZONE said was seen for the first time in attacks on Russian organizations. That module enabled desktop image capture, active window monitoring, remote desktop control, keyboard and mouse emulation, and sending messages to application windows. At least one incident involved deployment of Pay2Key ransomware, described as based on Mimic. Reported anti-forensic behavior included overwriting its own executable with zeros using fsutil before deletion, hindering incident response and reverse engineering. No additional aliases or sub-groups were provided in the source content beyond Fluffy Wolf.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Materials
- Capital Goods
- Commercial & Professional Services
- Consumer Discretionary Distribution & Retail
Where they target
Geographies tied to known operations.
- 🇷🇺 Russia
Tradecraft
15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
6 malware families attributed to this actor across reporting.
1 additional family tracked in Mallory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting phishing-led intrusion campaigns against Russian organizations, using deceptive debt/legal-themed emails, GitHub links, malicious RAR attachments, loaders and stealers, and in some cases deploying Pay2Key ransomware for financial extortion.
Conducting phishing-led intrusions against Russian companies across construction, consulting, engineering, retail, e-commerce, and industrial sectors, using MaaS-purchased loaders, stealers, RATs, and ransomware.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.