Cybersecurity experts have detected a sophisticated campaign targeting energy sector companies, as the threat actor known as Sapphire Werewolf deploys an enhanced version of the Amethyst stealer malware.<\/p>\n
The campaign represents a significant evolution in the group\u2019s capabilities, featuring advanced evasion techniques and expanded data exfiltration functionality.<\/p>\n
This malware deployment is part of a broader pattern of increasingly sophisticated attacks against critical infrastructure targets worldwide.<\/p>\n
The initial attack vector remains consistent with previous Sapphire Werewolf campaigns, utilizing phishing emails that masquerade as official human resources communications.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiXkjOha27uBIuVv2ssiA7-RcUz0_QHo-qQZsE77rcZxQW1ZmqWCmT5FZc0HRuke9pX4FX-xudl5DkLacYR18d54SrwLDmYnyTPLEwpYRNntLM5ssbTa1hB1LtArPr1-RRBZOFTwc38FuQEl45YqC3IlMMkrrFM7f1kauA7Qlq1GZnEwGpa7PFcdcbzmqU\/s16000\/Phishing%2520email%2520%28Source%2520-%2520Bi.Zone%29.webp?ssl=1\")
The malicious attachment appears as a RAR archive named \u201c\u0437\u0430\u043f\u0438\u0441\u043a\u0430.rar\u201d containing an executable disguised with a PDF icon.<\/p>\n
Upon execution, this initial loader unpacks and deploys the main Amethyst stealer payload, which has been protected using .NET Reactor obfuscation technology to evade detection by common security tools.<\/p>\n
BI.ZONE researchers identified<\/a> this campaign on April 9, 2025, noting that the threat actor has significantly refined their toolkit.<\/p>\n The malware employs a sophisticated multi-stage infection process, first loading a Base64-encoded PE file into memory through Assembly.Load() and Invoke() methods, avoiding writing the malicious payload to disk where it might be detected by security solutions<\/a>.<\/p>\n The Amethyst stealer\u2019s primary function is credential theft, targeting authentication data from multiple applications including Telegram and various browsers such as Chrome, Opera, Yandex, Brave, and Edge.<\/p>\n Additional functionality enables the malware to extract SSH configuration files, remote desktop settings, and VPN client<\/a> credentials, providing attackers with multiple vectors for maintaining persistent access to compromised networks.<\/p>\n What distinguishes this latest version of Amethyst is its comprehensive suite of virtual machine detection mechanisms designed to prevent analysis.<\/p>\n The malware employs multiple techniques to identify virtualized environments, including checking for VirtualBox-specific file descriptors as seen in the following code implementation:-<\/p>\n The malware further extends its evasion capabilities through WMI queries examining hardware characteristics, including processor manufacturer details, motherboard information, BIOS serial numbers, and disk model data.<\/p>\n If virtualization is detected, the malware alters its behavior to avoid revealing its full capabilities to security researchers.<\/p>\n Additionally, Amethyst implements Triple DES symmetric encryption for string obfuscation, applying encryption to nearly every string parameter used in function calls rather than encrypting entire code blocks.<\/p>\n This technique significantly complicates static analysis by security tools<\/a>, which shows a code fragment demonstrating the decryption process in action.<\/p>\n Once credentials are harvested, the malware stages the data locally before exfiltrating it through Telegram channels, providing attackers with a convenient and difficult-to-block command and control infrastructure.<\/p>\n Find this News Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, &\u00a0X<\/a>\u00a0to Get Instant Updates!<\/strong><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgI525PPG5TRe_6usKPxi4PXerS5jXk1jVL1kiAif5e2Ls9dOKp0mypKhhflF5jen9iMXS_MwVkZVcAaViOgdeXhfTqHtdfveG2x05mYisI2xR60X6791fN8p3GVWLFD5wtuu05-rkC4qcL4xuaOKgNXpVhEYTlcrjSHt5KDrETjItvdCSUBAr7_C6yXQM\/s16000\/Base64-encoded%2520PE%2520file%2520%28Source%2520-%2520Bi.Zone%29.webp?ssl=1\")
Advanced VM Detection Capabilities<\/strong><\/h2>\n
public static bool CheckVirtualDevice()\n{\n bool result;\n try\n {\n using (File.Open(\"\\\\.\\VBoxMiniRdrDN\", FileMode.Open, FileAccess.Read, FileShare.Read))\n {\n result = true;\n }\n }\n catch\n {\n result = false;\n }\n return result;\n}<\/code><\/pre>\nAlso Read:<\/strong><\/h3>\n