Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives containing SFX executables, which deploy obfuscated AutoIt scripts, legitimate AutoIt interpreters, and decoy PDF documents. The loader gathers system information, exfiltrates data to a C2 server, and potentially downloads additional malicious payloads. The attackers use deceptive file names matching the content of decoy documents to increase credibility. This campaign demonstrates the ongoing sophistication and adaptability of threat actors targeting Russian government organizations.