The threat actor Bloody Wolf, also known as Stan Ghouls, is conducting a widespread spear-phishing campaign across Russia and Uzbekistan to deploy the NetSupport remote access trojan. While primarily motivated by financial gain, the group's extensive use of surveillance tools and expanded arsenal suggests a growing interest in long-term cyber espionage and IoT exploitation.

Bloody Wolf has targeted over 60 organizations across the manufacturing, finance, and IT sectors since at least 2023. The group has recently pivoted from using the STRRAT malware to leveraging NetSupport RAT, a legitimate administration tool repurposed for malicious intent. Recent investigations by Kaspersky indicate that the campaign has successfully compromised dozens of devices, specifically hitting government agencies and medical facilities in Uzbekistan and Russia while maintaining a presence in Kazakhstan and Turkey.

The attack methodology relies on deceptive phishing emails containing malicious PDF attachments. When a victim interacts with the embedded links, a specialized loader initiates a series of checks to ensure the system has not been previously infected. To maintain a low profile, the loader displays fake error messages to the user while simultaneously downloading the RAT and establishing persistent access through registry keys, startup folders, and scheduled tasks.

Security researchers have also noted a potential expansion in the group's capabilities, as Mirai botnet payloads were discovered on their infrastructure. This suggests that Bloody Wolf may be moving beyond traditional workstation compromise to target Internet of Things devices. The high volume of successful infections indicates that the threat actor possesses significant resources and a refined infrastructure to support large-scale operations across the region.

The activity of Bloody Wolf is part of a broader trend of increased cyber pressure on Russian and Central Asian entities. Other sophisticated groups like ExCobalt and Punishing Owl are also active, utilizing kernel rootkits and credential-harvesting tools to infiltrate corporate networks. These groups have shifted their tactics toward targeting contractors to gain entry into larger organizations, demonstrating a move toward supply-chain style exploitation rather than just direct attacks on internet-facing vulnerabilities.

In a similar vein, the Vortex Werewolf cluster has been observed deploying persistent remote access tools like Tor and OpenSSH within Russian and Belarusian networks. Meanwhile, the newly identified Punishing Owl group uses password-protected archives to deliver the ZipWhisper stealer, focused on harvesting and leaking sensitive data. Together, these campaigns represent a complex and multi-faceted threat landscape involving both financially motivated criminals and politically driven hacktivists.

Source: Bloody Wolf Targets Uzbekistan And Russia With NetSupport RAT Attacks