Information security specialists from BI.ZONE have reported that the newspaper Izvestia has disclosed the emergence of a new hacking collective named Sticky Werewolf. The group has targeted government institutions in Russia and Belarus, initiating its activity in April and accumulating more than thirty confirmed incidents to date. Their phishing campaigns rely on commercial malware tools, and analysts note a rising frequency of cyber assaults against intricate electronic systems, showing an increase of about 50 percent in recent activity.
Oleg Skulkin, who leads BI.ZONE’s cyber intelligence division, explained that the attackers craft links for counterfeit emails using the IP Logger service. This service gathers data about individuals who click on the links, including the time of click, IP address, country and city, browser version, and operating system. Such data allows Sticky Werewolf to filter out less valuable targets and concentrate efforts on the strongest, highest-priority systems.
Security analysts observe that the links in these messages direct recipients to malicious files with .exe or .scr extensions, which are camouflaged to resemble Word or PDF documents. An illustrative case involved an attempted breach of the Krasnoyarsk Territory administration, where the attackers posed as a notice from the Ministry of Emergency Situations. Similar schemes were employed against the Brest Executive Committee, masked as a document from the Belarusian Prosecutor General’s Office, and against the Moscow Savelovsky Court.
Igor Bederov, head of the information and analytical research department at T.Hunter, suggests that the group could be operating from Ukrainian territory, a factor that may explain the spread of spyware within organizations associated with the Union State. The broader pattern points to a coordinated use of social engineering and deceptive document delivery to breach government networks.
In a broader context, authorities and security firms continue to monitor such campaigns for signs of evolving tactics, seeking to understand how these actors bypass traditional defenses, exploit trusted communications channels, and move laterally within targeted networks. The focus remains on rapid detection of suspicious emails, verification of attachments, and the implementation of layered security controls to reduce the risk of intrusion and data exposure. Recent incidents underscore the importance of maintaining up-to-date incident response plans and user awareness programs to mitigate the impact of phishing and malware distribution in government infrastructure.
Historical patterns show that attempts of this kind may involve cross-border coordination and the reuse of compromised infrastructure to support operations. Observers note that attribution remains challenging in the cyber domain, but the accumulating indicators point toward a persistent, organized effort rather than isolated events. The continuing attention from researchers and national cybersecurity teams highlights the need for enhanced monitoring, rapid threat intelligence sharing, and resilient security architectures to address similar threats in the future.