Executive Summary

The threat actor known as Bloody Wolf has recently intensified a spear-phishing campaign targeting organizations in Uzbekistan and Russia, leveraging the legitimate remote administration tool NetSupport RAT for malicious purposes. This campaign, active since at least 2023, demonstrates a sophisticated attack chain involving custom Java-based loaders, multi-layered persistence mechanisms, and infrastructure overlap with IoT malware such as the Mirai botnet. The attackers have primarily targeted government, finance, manufacturing, logistics, medical, and educational sectors, with evidence of collateral infections in neighboring Central Asian countries. The use of a legitimate tool like NetSupport Manager complicates detection and response, underscoring the need for advanced monitoring and user awareness.

Threat Actor Profile

Bloody Wolf, also tracked as "Stan Ghouls" by Kaspersky, is a financially motivated threat group with possible cyber-espionage objectives. The group has a history of targeting Central Asian organizations and has previously utilized malware such as STRRAT before shifting to the abuse of NetSupport Manager. Their campaigns are characterized by the use of localized spear-phishing lures, rapid infrastructure updates, and the deployment of both commodity and custom malware. The group’s infrastructure has also been observed hosting Mirai botnet binaries, suggesting an expansion into IoT targeting and a willingness to diversify attack vectors.

Technical Analysis of Malware/TTPs

The attack chain begins with spear-phishing emails crafted in local languages, often impersonating government agencies or legal authorities. These emails contain malicious PDF attachments that, when opened, prompt the user to click a link. This link downloads a Java-based loader (JAR file) from attacker-controlled domains such as mysoliq-uz[.]com and my-xb[.]com. The loader, built with Java 8, displays a fake error message to the user and enforces a limit of three installation attempts per device to evade detection and analysis.

Upon execution, the loader downloads the NetSupport RAT client (specifically, the 2013 version of NetSupport Manager) and associated batch scripts. Persistence is established through multiple mechanisms: an autorun script is dropped in the Windows Startup folder, a registry autorun key is created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and a scheduled task is configured to execute the batch script at user logon. The loader also checks for the presence of the RAT binary (client32.exe) to ensure successful deployment.

Once installed, NetSupport RAT provides the attacker with full remote access to the compromised system, enabling lateral movement, data exfiltration, and the deployment of additional payloads. The campaign’s infrastructure has been observed hosting a variety of Mirai botnet binaries, indicating a potential for cross-platform attacks targeting both traditional endpoints and IoT devices.

The campaign does not exploit a vulnerability in NetSupport Manager itself; rather, it abuses the tool’s legitimate functionality for unauthorized remote access. The infection vector relies on social engineering and user execution, not on software flaws.

Exploitation in the Wild

The campaign has resulted in approximately 50 confirmed infections in Uzbekistan and 10 in Russia, with additional victims in Kazakhstan, Turkey, Serbia, and Belarus. The targeted sectors include government agencies, financial institutions, manufacturing firms, logistics companies, medical organizations, and educational institutions. The attackers employ highly localized spear-phishing lures, often referencing legal or governmental matters to increase the likelihood of user interaction.

The use of a legitimate remote administration tool like NetSupport Manager allows the attackers to blend in with normal network traffic and evade traditional security controls. The deployment of custom Java-based loaders and the use of multiple persistence mechanisms further complicate detection and remediation efforts. The overlap with Mirai botnet infrastructure suggests that the attackers are also exploring opportunities to compromise IoT devices, potentially broadening the scope and impact of their operations.

Victimology and Targeting

The primary targets of this campaign are organizations in Uzbekistan and Russia, with a focus on sectors that handle sensitive data and critical infrastructure. The attackers have demonstrated a deep understanding of local languages and business practices, crafting spear-phishing emails that are highly convincing to their intended victims. Collateral infections have been observed in Kazakhstan, Turkey, Serbia, and Belarus, likely as a result of the attackers’ broad targeting strategy or the use of shared infrastructure.

The campaign’s victimology indicates a preference for organizations with valuable data or strategic importance, such as government ministries, financial regulators, manufacturing plants, logistics hubs, hospitals, and universities. The attackers’ willingness to update their infrastructure and delivery mechanisms suggests a high level of operational maturity and adaptability.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risks associated with this campaign. Monitoring for unauthorized use of NetSupport Manager and similar remote access tools is critical, as is the blocking of known malicious domains and hashes associated with the campaign. User education remains a key defense; employees should be trained to recognize spear-phishing attempts, especially those involving PDF attachments and links purporting to be from government agencies.

Security teams should regularly review scheduled tasks, autorun entries, and the Startup folder for suspicious scripts or executables. Network segmentation and the principle of least privilege can help limit lateral movement in the event of a compromise. Endpoint detection and response (EDR) solutions with behavioral analytics are recommended to detect and respond to RAT activity. Additionally, organizations should stay informed of emerging indicators of compromise (IOCs) and update their security controls accordingly.

References

The Hacker News: Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign,Group-IB Blog: Bloody Wolf,Kaspersky Securelist: Stan Ghouls in Uzbekistan,Infosecurity Magazine: Bloody Wolf Threat Actor Expands Activity Across Central Asia,Cyberpress: Bloody Wolf Group Uses Fake Government Emails and Malicious PDFs to Deploy NetSupport RAT

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and risk assessment capabilities empower security teams to proactively identify and address emerging threats. For more information or to discuss how Rescana can help strengthen your organization’s cyber resilience, we are happy to answer questions at ops@rescana.com.