Cybersecurity researchers have linked the threat actor known as Bloody Wolf to an ongoing spear phishing campaign targeting organizations and individuals in Uzbekistan and Russia, resulting in the deployment of a remote access trojan identified as NetSupport RAT. The activity is being tracked by cybersecurity firm Kaspersky under the name Stan Ghouls, with evidence suggesting the group has been active since at least 2023. The campaign primarily focuses on sectors such as manufacturing, finance, and information technology, although infections have also been observed within government entities, logistics companies, healthcare facilities, and educational institutions across multiple regions.
According to Kaspersky’s findings, the campaign has affected approximately 50 victims in Uzbekistan, with at least 10 compromised devices identified in Russia. Additional infections, though fewer in number, have been detected in Kazakhstan, Turkey, Serbia, and Belarus, indicating a geographically diverse footprint. Researchers believe the group’s main motivation is financial gain, given its consistent focus on financial institutions, while noting that the extensive use of remote access tools may also point toward elements of cyber espionage. The scale of the activity stands out, as more than 60 confirmed targets have been hit, a volume that suggests sustained resources and coordination behind the operation.
The infection chain relies on carefully crafted phishing emails that carry malicious PDF attachments. These documents contain embedded links which, when clicked, redirect victims to download a malicious loader. Once executed, the loader displays a fake error message to create the impression that the file cannot run properly, while simultaneously checking whether the system has already undergone multiple infection attempts. If the limit has not been reached, the loader proceeds to download NetSupport RAT from external domains and launch it on the compromised system. Persistence is achieved by configuring autorun scripts through the Startup folder, modifying registry autorun keys, and creating scheduled tasks to ensure the malware continues running after system restarts. The use of NetSupport, a legitimate remote administration tool, represents a shift from Bloody Wolf’s earlier reliance on STRRAT, also known as Strigoi Master, which had previously been documented in phishing activity aimed at Central Asian targets.
Kaspersky researchers have also identified Mirai botnet payloads hosted on infrastructure associated with Bloody Wolf, raising concerns that the group may be expanding its malware toolkit to include attacks on Internet of Things devices. The disclosure comes amid a broader surge in cyber campaigns targeting Russian organizations. Other threat actors, including ExCobalt, have been observed exploiting known vulnerabilities and credentials stolen from contractors to gain access to corporate networks. Security firm Positive Technologies has described some of these adversaries as among the most dangerous groups currently targeting Russian entities, citing their use of diverse toolsets to extract credentials, siphon messaging data from platforms such as Telegram, and harvest Outlook Web Access login details through malicious code injection.
In parallel, state institutions, scientific organizations, and IT companies in Russia have also faced activity from previously unknown groups such as Punishing Owl, which has engaged in data theft and leakage through dark web channels. That campaign relies on phishing emails delivering password protected ZIP archives containing malicious shortcut files that trigger PowerShell based payloads designed to steal sensitive information. Another cluster, tracked as Vortex Werewolf, has focused on deploying tools like Tor and OpenSSH to maintain persistent access to compromised systems in Russia and Belarus. Together, these overlapping campaigns illustrate a complex and increasingly aggressive cyber threat environment across the region, where financially motivated operations and politically driven activity continue to converge.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
