Article Details

Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign. The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan known as NetSupport RAT. Cybersecurity vendor Kaspersky is tracking the activity under the moniker Stan Ghouls. The threat actor is known to be active since at least 2023, orchestrating spear-phishing attacks against manufacturing, finance, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan. The campaign is estimated to have claimed about 50 victims in Uzbekistan, with 10 devices in Russia also impacted. Other infections have been identified to a lesser degree in Kazakhstan, Turkey, Serbia, and Belarus. Infection attempts have also been recorded on devices within government organizations, logistics companies, medical facilities, and educational institutions. "Given Stan Ghouls' targeting of financial institutions, we believe their primary motive is financial gain," Kaspersky noted. "That said, their heavy use of RATs may also hint at cyber espionage." The misuse of NetSupport, a legitimate remote administration tool, is a departure for the threat actor, which previously leveraged STRRAT (aka Strigoi Master) in its attacks. In November 2025, Group-IB documented phishing attacks aimed at entities in Kyrgyzstan to distribute the tool. The attack chains are fairly straightforward in that phishing emails loaded with malicious PDF attachments are used as a launchpad to trigger the infection. The PDF documents embed links that, when clicked, lead to the download of a malicious loader that handles multiple tasks - Kaspersky said it also identified Mirai botnet payloads staged on infrastructure associated with Bloody Wolf, raising the possibility that the threat actor may have expanded its malware arsenal to target IoT devices. "With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign," the company concluded. "It points to the significant resources these actors are willing to pour into their operations." The disclosure coincides with a number of cyber campaigns targeting Russian organizations, including those conducted by ExCobalt, which has leveraged known security flaws and credentials stolen from contractors to obtain initial access to target networks. Positive Technologies described the adversary as one of the "most dangerous groups" attacking Russian entities. The attacks are characterized by the use of various tools, along with attempts to siphon Telegram credentials and message history from the compromised hosts and Outlook Web Access credentials by injecting malicious code into the login page - "The group changed the tactics of initial access, shifting the focus of attention from the exploitation of 1-day vulnerabilities in corporate services available from the internet (e.g., Microsoft Exchange) to the penetration of the infrastructure of the main target through contractors," Positive Technologies said. State institutions, scientific enterprises, and IT organizations in Russia have also been targeted by a previously unknown threat actor known as Punishing Owl that has resorted to stealing and leaking data on the dark web. The group, suspected to be a politically motivated hacktivist entity, has been active since December 2025, with one of its social media accounts administered from Kazakhstan. The attacks utilize phishing emails with a password-protected ZIP archive, which, when opened, contains a Windows shortcut (LNK) masquerading as a PDF document. Opening the LNK file results in the execution of a PowerShell command to download a stealer named ZipWhisper from a remote server to harvest sensitive data and upload it to the same server. Another threat cluster that has trained its sights on Russia and Belarus is Vortex Werewolf. The end goal of the attacks is to deploy Tor and OpenSSH so as to facilitate persistent remote access. The campaign was previously exposed in November 2025 by Cyble and Seqrite Labs, with the latter calling the campaign Operation SkyCloak.