Triune Evil: "Werewolves" Attack Law Enforcement Officers

    Monday, March 30, 2026 In: Threat Research Print

    Date: 03/30/2026

    Severity: High

    Summary

    A cyberespionage campaign discovered in early 2026 involved three distinct threat clusters Paper Werewolf, Versatile Werewolf, and Eagle Werewolf targeting victims using malware disguised as Starlink registration services and drone training applications. The attackers leveraged current events and social engineering tactics, including hijacked Telegram accounts and compromised channels, to distribute malware and expand their reach. While operating independently, all three groups focused on targeted intelligence collection, with some incorporating AI-generated tools to accelerate attack development.

    Indicators of Compromise (IOC) List

    Domains/Urls

    syncheaven.online

    battleflight.org

    battleflight.pro

    certcheck.online

    re-link.space

    mystarlink.org

    web-tellegram.org

    stardebug.app

    curtainbeatdisturbance.com

    alphafly-drones.com

    updatewin.net

    serverscreen.net

    toolsserv.com

    servicefor8.com

    for8service.net

    updateserv.net

    configurationserv.com

    cloudanalitics.net

    servupdate.net

    synchro-service.com

    prodacserv.net

    http://configurationserv.com/tunnel/register

    http://cloudanalitics.net/tunnel/register

    https://servupdate.net/array/array9.json

    https://synchro-service.com/array8/array8.json

    http://203.161.56.226/public/catalog/machine/register

    http://203.161.56.226/public/starlink

    http://203.161.56.226/public/starlink/starlink-v2

    https://prodacserv.net/array/array10.json

    https://servupdate.net/array/array9.json

    https://updateserv.net:443/check

    https://updateserv.net:443/backup/get-time

    https://updateserv.net:443/file/uploadChunk

    https://updateserv.net:443/backup/update-subtask-status

    https://updateserv.net:443/cmd/upload-result

    https://updateserv.net:443/clients/files

    https://stardebug.app/static/files/StarDebug_1.0.1.msi

    https://www.alphafly-drones.com/downloads/AlphaFlyInstallV1-2.msi

    https://newfolder.click/9ebeb834a451460e

    https://newfolder.click/?cid=9ebeb834a451460e&mod=main

    https://syncheaven.online/sync/now/ru/moscow/fetch

    https://battleflight.org/download/installer

    https://battleflight.pro/static/media/BattleFlight_Installer.exe

    https://certcheck.online/certificate/check/Wi5kyh3yFeUF2VhIiFX572eR3870GxYrk7f1Q7MLV5vJ3xGnf4

    https://web-tellegram.org/ru

    https://web-tellegram.org/socket.io/?EIO=4&transport=polling&t=ikzknftw&sid=0TY7i-pDpxsIn8b4ABJ6

    IP Address

    203.161.56.226

    104.194.158.63

    Hash

    9292fae9b63203cdc0cb204b53314d056e01fc760707dcaa89e66e43d688b25e

    4263c458ef216f8e2524462ea3efe79be44492d51143a519081c429c3c24c166

    c1fbd66467449d3c8d9d07a939843a49fad9de9ac484241d52f0d5a94299ca62

    e1f359773da3b014389018ef8a22a15acb2157b43cff5f507237ca7093174b11

    f8c10fd2b3d254cff0c7927c188a7751568fe7ff3eace1de83bb3148bc14a339

    df1d20e392f7b7c5c408bdda317e0733e5ec27a973e3bf75034c6566343aa67f

    677c5ad47c8feaf6a5c0b084060347bcf48f0ccadcdf951b3d48553f4520feaa

    82254b86590762b2946c6584db35d3872a5d6b85d30e8c07adb95de2126a4f97

    a20870bee771efe1ea01761d7978cc7b68b0a3c32c617675464f9c4dbe0a5d66

    88ebed34ab9ff0e16dc32b789fc25295ea570f86244e89cb68803c517597cfdd

    3d280f5bb4e1eba8c1a65c7d17411286f7b3dbe7db48130f7d5a3be421ffc2ae

    34db59b663c15cd03cdd92bf24bdff25b756dd51f0540fecaac2a0cab47480ae

    996df9ce30ace63c0c516cbacfa4e308b555a2d2c44c9d6550b543b9fccc845d

    09c83fc5f1656cc4be749c64bfc53d2ef612c9b79dc3937b8bb137754c82216a

    688a1dc207ead232cb8ae6f67fcca1cf7892d83a01af024c404e636cb6ba4cb2

    376276fb34d3ce82f2e15b3b27978ffce1896320f4ba226c1eeda778e1fe5714

    471e5e26a0e0796e79e0ef09a0565b7e50c3ff39da0ba42a45c35dcc3922dc2c

    6498d18edb1d440783ae1e7921ebd491872b81b91968bcb246086bf1e08b68f6

    aa52dd66071b673416947a798d1f5118405eb94476db08a2ada2eaa5bdeeb276

    e321a2348bfba68e642f8b13bbdbebc394a4364bddbdadf8b37e4bff80200de1

    8ac118cc76584487b7f71d91fee2c344a7e33ee8043043920895e9851fa257e2

    3fe1405a47d1f58c1f7b54d12de574542b32e6d67586d43f119575b906da0a38

    1951325e1bf6f927ae4bd57fec4d2b5b893cdac2d98c010ef716db254e8d4e7f

    d8ad86cf071b914cc0e828c5b3ff68a72fb5ce776f49dd2aa3f56e7d8af142f8

    5869fb9280846dd77c3fb38b976cf760f889481947cda76a779cf69f48d57daa

    bbbb345cf004992fd8a0ca8c900458f15d6ae939f7f41a60c28a67475af59289

    b97fba0accfaf94ae416c2cf1a17a01c281c5565c80fb525ee00f1191a62eff9

    10b6d2cb69d9902afc2157c81b31b066ffd53e9deb156787b68e4fdea2c081b4

    71155a0940a2c19789d8a8efb285ac3dff5d680a93902901afe6cc893f278ce9

    edb4e02547daba247fea1f95d5a45f4cf0cc2a35259cd2e07ae5f99c76910751

    487154b1e2a96627d1eeb5d679e3e37269a27701f32b8769b6aa9f9ea640a53c

    e8de53d4c7558b836f701af0f2e6db5807b10cf9a0d10543bb53357c17b936b3

    ea312fc2bc4dffcaa69d4308ed9d58ae26051285777bbf05665eb625d94dab27

    b965badd209359e7b19c423e321193b308101b844bdf14704228e27f46c7ffe0

    dc6243760263153e4245d8ca37821d2ff2889c78bcd9e9849050e10e26ac3fb3

    cde5ea7788856304e869254fdc90e76adf6990651b72c7351609e707fbf36c0e

    5d759393935faa272f3a7b2dd827d010abd40ead178aba45b360c83ebbcd5e84

    d55a9680b9df14da5e434d5839734c1ed7d9a44348bfd4868e36682203282cc4

    80419e4fbe836b59f96697a8b35acb9903d34796e12ea0cd2349b3c01fe3f9e8

    5c23d87edca803f7579129a0f6cc18796f67bf55b0c9d053e47edd5f9b501b62

    c9c9cf72eaf105be6345aef989c88c27d75bbad935efbc349232b84939d59499

    5058b50371a666a585e2438b113825ea07a525b1fe3529a6988e2416d5b4e89d

    bcc9f8baa79c96e6adfbef6dc35d841b63b5c09029f9845fe52bcd76b53a51b9

    aa5f6d919f0f7055e7a22c566463615f208f0b70e5cc56a927baa95796432dcb

    c43fea1537004b69e1d7b7897af22e7813f4a86f4a53fa44263d3998bfef3a25

    c2a86a9fe38f46eea465290e68c8ee90e474acd3c3fa5f0b6704168965e98f8b

    54318d50f463de10661d13701c2acd183a3bd00ea0d01fd74ccdb778f073ea7a

    5047eae07f5d4dca559c5e04d60ecd775fce4e448d00f7b61c38b737ecbd5586

    ef72cd3ed4b2d86466ad674b09f077f68909038fba8015f95cfddbf4f53900d4

    dbf9a2d1936df83e9764c0233623b581c8e0bf9e331ff0a636721438ce7a1dd5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "certcheck.online" or siteurl like "certcheck.online" or url like "certcheck.online" or domainname like "synchro-service.com" or siteurl like "synchro-service.com" or url like "synchro-service.com" or domainname like "battleflight.org" or siteurl like "battleflight.org" or url like "battleflight.org" or domainname like "https://battleflight.org/download/installer" or siteurl like "https://battleflight.org/download/installer" or url like "https://battleflight.org/download/installer" or domainname like "battleflight.pro" or siteurl like "battleflight.pro" or url like "battleflight.pro" or domainname like "curtainbeatdisturbance.com" or siteurl like "curtainbeatdisturbance.com" or url like "curtainbeatdisturbance.com" or domainname like "https://updateserv.net:443/clients/files" or siteurl like "https://updateserv.net:443/clients/files" or url like "https://updateserv.net:443/clients/files" or domainname like "cloudanalitics.net" or siteurl like "cloudanalitics.net" or url like "cloudanalitics.net" or domainname like "http://203.161.56.226/public/starlink/starlink-v2" or siteurl like "http://203.161.56.226/public/starlink/starlink-v2" or url like "http://203.161.56.226/public/starlink/starlink-v2" or domainname like "http://203.161.56.226/public/starlink" or siteurl like "http://203.161.56.226/public/starlink" or url like "http://203.161.56.226/public/starlink" or domainname like "https://syncheaven.online/sync/now/ru/moscow/fetch" or siteurl like "https://syncheaven.online/sync/now/ru/moscow/fetch" or url like "https://syncheaven.online/sync/now/ru/moscow/fetch" or domainname like "http://cloudanalitics.net/tunnel/register" or siteurl like "http://cloudanalitics.net/tunnel/register" or url like "http://cloudanalitics.net/tunnel/register" or domainname like "http://203.161.56.226/public/catalog/machine/register" or siteurl like "http://203.161.56.226/public/catalog/machine/register" or url like "http://203.161.56.226/public/catalog/machine/register" or domainname like "https://updateserv.net:443/cmd/upload-result" or siteurl like "https://updateserv.net:443/cmd/upload-result" or url like "https://updateserv.net:443/cmd/upload-result" or domainname like "https://newfolder.click/?cid=9ebeb834a451460e&mod=main" or siteurl like "https://newfolder.click/?cid=9ebeb834a451460e&mod=main" or url like "https://newfolder.click/?cid=9ebeb834a451460e&mod=main" or domainname like "web-tellegram.org" or siteurl like "web-tellegram.org" or url like "web-tellegram.org" or domainname like "configurationserv.com" or siteurl like "configurationserv.com" or url like "configurationserv.com" or domainname like "https://battleflight.pro/static/media/BattleFlight_Installer.exe" or siteurl like "https://battleflight.pro/static/media/BattleFlight_Installer.exe" or url like "https://battleflight.pro/static/media/BattleFlight_Installer.exe" or domainname like "https://web-tellegram.org/socket.io/?EIO=4&transport=polling&t=ikzknftw&sid=0TY7i-pDpxsIn8b4ABJ6" or siteurl like "https://web-tellegram.org/socket.io/?EIO=4&transport=polling&t=ikzknftw&sid=0TY7i-pDpxsIn8b4ABJ6" or url like "https://web-tellegram.org/socket.io/?EIO=4&transport=polling&t=ikzknftw&sid=0TY7i-pDpxsIn8b4ABJ6" or domainname like "https://updateserv.net:443/backup/update-subtask-status" or siteurl like "https://updateserv.net:443/backup/update-subtask-status" or url like "https://updateserv.net:443/backup/update-subtask-status" or domainname like "for8service.net" or siteurl like "for8service.net" or url like "for8service.net"

    Detection Query 2 :

    domainname like "https://web-tellegram.org/ru" or siteurl like "https://web-tellegram.org/ru" or url like "https://web-tellegram.org/ru" or domainname like "updateserv.net" or siteurl like "updateserv.net" or url like "updateserv.net" or domainname like "https://updateserv.net:443/file/uploadChunk" or siteurl like "https://updateserv.net:443/file/uploadChunk" or url like "https://updateserv.net:443/file/uploadChunk" or domainname like "https://www.alphafly-drones.com/downloads/AlphaFlyInstallV1-2.msi" or siteurl like "https://www.alphafly-drones.com/downloads/AlphaFlyInstallV1-2.msi" or url like "https://www.alphafly-drones.com/downloads/AlphaFlyInstallV1-2.msi" or domainname like "prodacserv.net" or siteurl like "prodacserv.net" or url like "prodacserv.net" or domainname like "servicefor8.com" or siteurl like "servicefor8.com" or url like "servicefor8.com" or domainname like "https://servupdate.net/array/array9.json" or siteurl like "https://servupdate.net/array/array9.json" or url like "https://servupdate.net/array/array9.json" or domainname like "toolsserv.com" or siteurl like "toolsserv.com" or url like "toolsserv.com" or domainname like "https://prodacserv.net/array/array10.json" or siteurl like "https://prodacserv.net/array/array10.json" or url like "https://prodacserv.net/array/array10.json" or domainname like "https://synchro-service.com/array8/array8.json" or siteurl like "https://synchro-service.com/array8/array8.json" or url like "https://synchro-service.com/array8/array8.json" or domainname like "syncheaven.online" or siteurl like "syncheaven.online" or url like "syncheaven.online" or domainname like "re-link.space" or siteurl like "re-link.space" or url like "re-link.space" or domainname like "http://configurationserv.com/tunnel/register" or siteurl like "http://configurationserv.com/tunnel/register" or url like "http://configurationserv.com/tunnel/register" or domainname like "updatewin.net" or siteurl like "updatewin.net" or url like "updatewin.net" or domainname like "https://updateserv.net:443/check" or siteurl like "https://updateserv.net:443/check" or url like "https://updateserv.net:443/check" or domainname like "servupdate.net" or siteurl like "servupdate.net" or url like "servupdate.net" or domainname like "alphafly-drones.com" or siteurl like "alphafly-drones.com" or url like "alphafly-drones.com" or domainname like "https://newfolder.click/9ebeb834a451460e" or siteurl like "https://newfolder.click/9ebeb834a451460e" or url like "https://newfolder.click/9ebeb834a451460e" or domainname like "mystarlink.org" or siteurl like "mystarlink.org" or url like "mystarlink.org" or domainname like "serverscreen.net" or siteurl like "serverscreen.net" or url like "serverscreen.net" or domainname like "https://updateserv.net:443/backup/get-time" or siteurl like "https://updateserv.net:443/backup/get-time" or url like "https://updateserv.net:443/backup/get-time" or domainname like "stardebug.app" or siteurl like "stardebug.app" or url like "stardebug.app" or domainname like "https://stardebug.app/static/files/StarDebug_1.0.1.msi" or siteurl like "https://stardebug.app/static/files/StarDebug_1.0.1.msi" or url like "https://stardebug.app/static/files/StarDebug_1.0.1.msi" or doaminname like "https://certcheck.online/certificate/check/Wi5kyh3yFeUF2VhIiFX572eR3870GxYrk7f1Q7MLV5vJ3xGnf4" or siteurl like "https://certcheck.online/certificate/check/Wi5kyh3yFeUF2VhIiFX572eR3870GxYrk7f1Q7MLV5vJ3xGnf4" or url like "https://certcheck.online/certificate/check/Wi5kyh3yFeUF2VhIiFX572eR3870GxYrk7f1Q7MLV5vJ3xGnf4"

    Detection Query 3 :

    dstipaddress IN ("104.194.158.63","203.161.56.226") or srcipaddress IN ("104.194.158.63","203.161.56.226")

    Detection Query 4 :

    sha256hash IN ("677c5ad47c8feaf6a5c0b084060347bcf48f0ccadcdf951b3d48553f4520feaa","df1d20e392f7b7c5c408bdda317e0733e5ec27a973e3bf75034c6566343aa67f","aa52dd66071b673416947a798d1f5118405eb94476db08a2ada2eaa5bdeeb276","471e5e26a0e0796e79e0ef09a0565b7e50c3ff39da0ba42a45c35dcc3922dc2c","34db59b663c15cd03cdd92bf24bdff25b756dd51f0540fecaac2a0cab47480ae","3d280f5bb4e1eba8c1a65c7d17411286f7b3dbe7db48130f7d5a3be421ffc2ae","9292fae9b63203cdc0cb204b53314d056e01fc760707dcaa89e66e43d688b25e","71155a0940a2c19789d8a8efb285ac3dff5d680a93902901afe6cc893f278ce9","6498d18edb1d440783ae1e7921ebd491872b81b91968bcb246086bf1e08b68f6","e1f359773da3b014389018ef8a22a15acb2157b43cff5f507237ca7093174b11","376276fb34d3ce82f2e15b3b27978ffce1896320f4ba226c1eeda778e1fe5714","88ebed34ab9ff0e16dc32b789fc25295ea570f86244e89cb68803c517597cfdd","e321a2348bfba68e642f8b13bbdbebc394a4364bddbdadf8b37e4bff80200de1","4263c458ef216f8e2524462ea3efe79be44492d51143a519081c429c3c24c166","c1fbd66467449d3c8d9d07a939843a49fad9de9ac484241d52f0d5a94299ca62","f8c10fd2b3d254cff0c7927c188a7751568fe7ff3eace1de83bb3148bc14a339","82254b86590762b2946c6584db35d3872a5d6b85d30e8c07adb95de2126a4f97","a20870bee771efe1ea01761d7978cc7b68b0a3c32c617675464f9c4dbe0a5d66","996df9ce30ace63c0c516cbacfa4e308b555a2d2c44c9d6550b543b9fccc845d","09c83fc5f1656cc4be749c64bfc53d2ef612c9b79dc3937b8bb137754c82216a","688a1dc207ead232cb8ae6f67fcca1cf7892d83a01af024c404e636cb6ba4cb2","8ac118cc76584487b7f71d91fee2c344a7e33ee8043043920895e9851fa257e2","3fe1405a47d1f58c1f7b54d12de574542b32e6d67586d43f119575b906da0a38","1951325e1bf6f927ae4bd57fec4d2b5b893cdac2d98c010ef716db254e8d4e7f","d8ad86cf071b914cc0e828c5b3ff68a72fb5ce776f49dd2aa3f56e7d8af142f8","5869fb9280846dd77c3fb38b976cf760f889481947cda76a779cf69f48d57daa","bbbb345cf004992fd8a0ca8c900458f15d6ae939f7f41a60c28a67475af59289","b97fba0accfaf94ae416c2cf1a17a01c281c5565c80fb525ee00f1191a62eff9","10b6d2cb69d9902afc2157c81b31b066ffd53e9deb156787b68e4fdea2c081b4","edb4e02547daba247fea1f95d5a45f4cf0cc2a35259cd2e07ae5f99c76910751","487154b1e2a96627d1eeb5d679e3e37269a27701f32b8769b6aa9f9ea640a53c","e8de53d4c7558b836f701af0f2e6db5807b10cf9a0d10543bb53357c17b936b3","ea312fc2bc4dffcaa69d4308ed9d58ae26051285777bbf05665eb625d94dab27","b965badd209359e7b19c423e321193b308101b844bdf14704228e27f46c7ffe0","dc6243760263153e4245d8ca37821d2ff2889c78bcd9e9849050e10e26ac3fb3","cde5ea7788856304e869254fdc90e76adf6990651b72c7351609e707fbf36c0e","5d759393935faa272f3a7b2dd827d010abd40ead178aba45b360c83ebbcd5e84","d55a9680b9df14da5e434d5839734c1ed7d9a44348bfd4868e36682203282cc4","80419e4fbe836b59f96697a8b35acb9903d34796e12ea0cd2349b3c01fe3f9e8","5c23d87edca803f7579129a0f6cc18796f67bf55b0c9d053e47edd5f9b501b62","c9c9cf72eaf105be6345aef989c88c27d75bbad935efbc349232b84939d59499","5058b50371a666a585e2438b113825ea07a525b1fe3529a6988e2416d5b4e89d","bcc9f8baa79c96e6adfbef6dc35d841b63b5c09029f9845fe52bcd76b53a51b9","aa5f6d919f0f7055e7a22c566463615f208f0b70e5cc56a927baa95796432dcb","c43fea1537004b69e1d7b7897af22e7813f4a86f4a53fa44263d3998bfef3a25","c2a86a9fe38f46eea465290e68c8ee90e474acd3c3fa5f0b6704168965e98f8b","54318d50f463de10661d13701c2acd183a3bd00ea0d01fd74ccdb778f073ea7a","5047eae07f5d4dca559c5e04d60ecd775fce4e448d00f7b61c38b737ecbd5586","ef72cd3ed4b2d86466ad674b09f077f68909038fba8015f95cfddbf4f53900d4","dbf9a2d1936df83e9764c0233623b581c8e0bf9e331ff0a636721438ce7a1dd5")

    Reference:    

    https://bi.zone/expertise/blog/triedinoe-zlo-oborotni-atakuyut-sotrudnikov-silovykh-struktur/


    Tags

    MalwareThreat ActorCyber EspionageAISocial EngineeringTelegram

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.