The cyber landscape in Uzbekistan and Russia is currently being challenged by a spear-phishing campaign associated with the cybercriminal entity known as Bloody Wolf. Cybersecurity firm Kaspersky, tracking this activity under the alias Stan Ghouls, has identified the use of the NetSupport remote access trojan (RAT) as a key tool in these attacks. The group, active since at least 2023, has targeted industries across Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan, particularly in sectors like manufacturing, finance, and IT.
Widespread Impact Across Regions
In this latest campaign, approximately 50 systems in Uzbekistan and 10 in Russia have been compromised. The infections extend into Kazakhstan, Turkey, Serbia, and Belarus, albeit at lower levels. Governmental bodies, logistics firms, healthcare facilities, and educational institutions have also been targeted. Kaspersky suggests that while financial gain is a likely motive, the extensive use of RATs may indicate intentions of cyber espionage.
Bloody Wolf’s current strategy involves the misuse of NetSupport, a legitimate remote desktop tool, marking a shift from their previous reliance on STRRAT. Reports from November 2025 by Group-IB highlighted phishing efforts in Kyrgyzstan that facilitated the distribution of this tool.
Phishing Tactics and Malware Deployment
The attack methodology is straightforward: malicious PDF attachments in phishing emails serve as the entry point, leading victims to download a harmful loader. This loader performs several functions, including simulating error messages, checking installation attempts, and ultimately downloading and launching the NetSupport RAT. To ensure persistence, the malware configures autorun scripts and registry entries.
Kaspersky also uncovered Mirai botnet payloads on infrastructure tied to Bloody Wolf, hinting at a possible expansion of their malware capabilities to target IoT devices. The scale of this campaign, affecting over 60 targets, underscores the resources and sophistication at play.
Parallel Cyber Threats and Group Activities
This disclosure coincides with other cyber threats targeting Russian organizations, such as those by ExCobalt, which exploits security flaws and stolen credentials for network access. Positive Technologies has identified these actors as highly dangerous threats to Russian entities. Their arsenal includes backdoors like CobInt and ransomware such as Babuk and LockBit, as well as privilege escalation tools like PUMAKIT.
Additional threats, like Vortex Werewolf and Punishing Owl, have been observed targeting Russia and Belarus, utilizing phishing tactics to deploy tools like Tor and OpenSSH, and executing data theft and leaks. These activities highlight the ongoing vulnerabilities and the need for heightened cybersecurity measures in the region.
As these campaigns continue, understanding their tactics and expanding defensive strategies will be crucial for organizations in affected regions. The involvement of sophisticated threat actors suggests an ongoing risk that requires constant vigilance and adaptation.
