Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
Source: The Hacker News
Overview
The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia, deploying the remote‑access trojan NetSupport RAT (NetSupport RAT infections on the rise).
Cyber‑security vendor Kaspersky tracks the activity under the moniker Stan Ghouls (Stan Ghouls in Uzbekistan). The group has been active since at least 2023, orchestrating spear‑phishing attacks against manufacturing, finance, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.
- Victims – ~50 organizations in Uzbekistan, 10 devices in Russia, plus smaller numbers in Kazakhstan, Turkey, Serbia, and Belarus.
- Targets – Government bodies, logistics firms, medical facilities, and educational institutions.
“Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain,” Kaspersky noted. “That said, their heavy use of RATs may also hint at cyber espionage.”
The misuse of NetSupport—a legitimate remote‑administration tool—is a departure for the group, which previously leveraged STRRAT (aka Strigoi Master). In November 2025, Group‑IB documented phishing attacks aimed at Kyrgyzstan entities that distributed the tool (Bloody Wolf expands Java‑based attacks).
Attack Chain
- Phishing email with a malicious PDF attachment.
- The PDF contains a link that, when clicked, downloads a malicious loader.
- The loader performs the following actions:
- Displays a fake error message to make the victim think the application cannot run.
- Checks whether the number of previous RAT‑installation attempts is high.
“With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign,” the company concluded. “It points to the significant resources these actors are willing to pour into their operations.”
Related Campaigns
The disclosure coincides with several cyber‑campaigns targeting Russian organizations, including those conducted by ExCobalt (ExCobalt cyber gang targets Russian entities). Positive Technologies described the adversary as one of the “most dangerous groups” attacking Russian entities (ExCobalt review).
These attacks feature a variety of tools and attempts to steal Telegram credentials, message history, and Outlook Web Access credentials by injecting malicious code into the login page (MS Exchange server flaws exploited):
- CobInt – a known backdoor used by ExCobalt.
- Lockers – such as Babuk and LockBit.
- PUMAKIT – a kernel rootkit that escalates privileges, hides files/directories, and evades system tools. Earlier iterations include Facefish (Feb 2021), Kitsune (Feb 2022), and Megatsune (Nov 2023). Kitsune was also linked to the threat cluster Sneaky Wolf (aka Sneaking Leprechaun) by BI.ZONE.
- Octopus – a Rust‑based toolkit used to elevate privileges on compromised Linux systems.
“The group changed the tactics of initial access, shifting the focus of attention from the exploitation of 1‑day vulnerabilities in corporate services available from the internet (e.g., Microsoft Exchange) to the penetration of the infrastructure of the main target through …”
**Positive Technologies** reported that contractors are being targeted.
[](https://thehackernews.uk/ztw-hands-on-d)Additional Threat Actors
-
Punishing Owl – a previously unknown threat actor targeting state institutions, scientific enterprises, and IT organizations in Russia. The group uses phishing emails with password‑protected ZIP archives that contain a Windows shortcut (.lnk) masquerading as a PDF. Executing the shortcut runs a PowerShell command that downloads the stealer ZipWhisper, harvests sensitive data, and uploads it back to the attacker’s server. (Punishing Owl article)
-
Vortex Werewolf – focuses on Russia and Belarus, aiming to deploy Tor and OpenSSH for persistent remote access. First exposed in November 2025 by Cyble and Seqrite Labs, with Seqrite naming it Operation SkyCloak (Operation SkyCloak article).