Our experts have noticed that since the beginning of 2026, the hacker group VasyGrek (Fluffy Wolf) has expanded the geography of its targets, now attacking not only Russian organizations. Their arsenal has also been updated: new attacks use .vbs droppers, .com droppers, and a .com stealer written in Rust.
A VasyGrek attack typically starts with an email containing a malicious file or link. Then, a chain of infection is implemented in two variants:
An obfuscated .vbs/.bat dropper checks the host name and then secretly launches a Base64-encoded malicious PowerShell script. The script downloads the payload from legitimate hosting services (pastefy.app, yaso.su, Supabase Storage), loads a .NET assembly into memory, and injects it into a trusted system process
RegAsm.exewithout writing to disk.A .scr/.com dropper written in Rust installs PureRAT backdoor. It copies itself to
%APPDATA%or%LOCALAPPDATA%directories and establishes persistence through the registry by modifying theHKCU\..\Run\branch or through the task scheduler (using the schtasks.exe utility or the PowerShellRegister-ScheduledTaskcmdlet). After establishing persistence, the backdoor connects to the C2 server to receive further instructions (e.g., collecting confidential data).
How to catch the attack
We recommend using the indicators of compromise listed below.
Archives:
f681a2e311d2a0063a76c6af38082d01 doc_10022026_buh_1c.rar
f1298bcd8a7537be8c9a63a0df264b5c doc_23012026_1c_scan.rar
8130ad8c9b9c1022c7e966d4bde76b4f doc_03_02_2026_buh.rar
11d7b50333c37b7d6e7ccf373ba77505 doc_1c_buh5gr6gss3s3fv.rar
1511effebb7df8a2e5b3a741b106b59a акт сверки.rar
96b685a02c9bdaac285db9fe2b53a2d6 akt_sverki_1c.rar
611522aec29be78d9dafa4b59bf05a20 doc_05032026.rar.bat droppers:
ccff0d0751956a32a5a2fbf13d3aeca0 1C_Doc_kopiya_6rf56rwergsw3frefrsw3_PDF.bat
4af7f1f3cbbef1a1313077d336399245 akt_sverki_04022026_buh_5fegrf6dsfvsffwffs_pdf.bat
9c67e8b55cb0f31270201efdb253ca8f doc_28012026_buh_ff56fdfdf6dfdfd_pdf.bat
7b82065f2017d60e6bfc1f0ed17cd2f9 doc_23012026_skrinshot_1C.bat
f228557b220276a5970246192991b315 aktsverki_1c_buh_pdf.bat.vbs droppers:
11d7b50333c37b7d6e7ccf373ba77505 doc_1c_buh5gr6gss3s3f.scr droppers on RUST:
c1d5a11476ccfeb6a6c2a8de41241d4c buh_1c_10022026_akt_sverki_ferr6rr66fe6efe6fef.scr
3d8fc69b17562108653a6d479cdc0278 doc_23012026_1c_scan.scr
d5732efd1103b6d3990a0bd865d7580d 17.03.2026_doc_pdf.scr
4d8e11ce449a8f51a7007da24f9c5eea doc_05032026_1C_buhrg56svr6v2r66sfsf3sf_PDF.scr.com droppers on RUST:
c9e1f8b2d3e61bbda7d514a38f668c72 платежное поручение от 19.03.2026_pdf.com
48e6c3762469c0111a246c8d88b9b9b8 doc_buh_1C_akt_sverki_06032026_PDF.com
02baba775abf19be98776a86cb746eb2 doc_05032026_1C_akt_sverki_PDF.com.com stealer on RUST:
c0d909ecd9fdd83c14e4067654c42d8b akt_sverki_1c_buh_ef4ef6r6gege5gsfeergerge.comDomains:
supabase[.]co
modaaura[.]storeURLs:
pastefy[.]app/RoBl0TEe/raw
pastefy[.]app/3ocDEoXR/raw
pastefy[.]app/sLC7Jpkp/raw
yaso[.]su/raw/NNLwEwCU
modaaura[.]store/image.jpg?12711343
pixeldrain[.]com/api/file/Wm3ZnAJr
tzqfbgbyyatqtmhbqbzw.supabase[.]co/storage/v1/object/public/17032026/VC17032026upload.txt
wkhayejmdnobpaoaeim.supabase[.]co/storage/1/object/public/hfgfjjj/image.jpg?12711343
qruqdtwlkhwaztnfrkbq.supabase[.]co/storage/v1/object/public/26012026/stl26012026upload.txt
firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?al=media&token=20664d8b-9f51-4fc0-8439-3cca14ea7fc4
firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?alt=media&token=b9d8bf3e-b1eb-4c56-9434-d4af570d4a91
raw.githubusercontent[.]com/sergo20261/proxihost/refs/heads/main/stl28012026upload.txt
au72nuxzv2.ufs[.]sh/f/4LhV5B1sDCwIrgzpCwYKXE4gwWVSzU8Dck1rs5tJYqhnmpx6
raw.githubusercontent[.]com/novichkova0976/buhgalteriya/refs/heads/main/akt_sverki_06032026.rar