Red Flags in the Inbox: How Bloody Wolf’s Phishing Blitz Unleashed a RAT Epidemic Across Central Asia

When a “court notice” lands in your inbox, it’s easy to panic. But for dozens of organizations across Central Asia and Russia, that anxiety became a costly reality. Behind the official-sounding PDFs and urgent legal jargon lurked the Bloody Wolf hackers - a well-resourced group orchestrating a new wave of spear-phishing attacks that have left a trail of compromised networks and nervous IT teams in their wake.

Fast Facts

• Bloody Wolf targeted over 60 victims in Uzbekistan, Russia, Kazakhstan, and beyond.
• Attackers used fake court notice emails with malicious PDFs to deliver Java-based malware loaders.
• The operation deployed NetSupport RAT, granting full remote access to infected machines.
• Persistence achieved via scripts, registry keys, and scheduled tasks for stealthy control.
• Kaspersky linked the campaign to Bloody Wolf through code similarities and decoy documents.

Phishing With Precision

Beneath the surface of this campaign lies a blueprint for modern cyber espionage: localized, believable, and technically cunning. Emails crafted in Uzbek and Russian mimicked legal summons, luring victims with a PDF titled to resemble an official court document. But instead of legal instructions, recipients encountered a prompt to install Java - an opening for the hackers’ custom loader, delivered via carefully controlled web domains.

The loader, disguised with a convincing error message (“This application cannot be run in your OS.”), limited installation attempts to avoid detection. If successful, it quietly downloaded a suite of 20 NetSupport RAT files - tools originally meant for legitimate remote administration, now turned into digital skeleton keys for attackers. The loader ensured its persistence by embedding itself in the Windows Startup folder, the registry, and as a scheduled task, making cleanup a headache for defenders.

The attackers’ infrastructure was robust and nimble: over 35 domains cycled to host malware, with some servers previously linked to botnet activity. While the majority of victims were in Uzbekistan and Russia, the group’s reach extended into Kazakhstan, Turkey, Serbia, and Belarus - either as collateral or expanding targets.

Kaspersky’s analysis highlighted telltale fingerprints: rare Java loader code, identical decoy PDFs, and domain overlaps all pointed to Bloody Wolf, also known as Stan Ghouls. The group’s evolution from using STRRAT to NetSupport RAT signals a willingness to adapt and weaponize legitimate tools for criminal gain.

Defending Against the Pack

For organizations in the crosshairs, vigilance is critical. Security experts urge regular scanning of email attachments, blocking untrusted Java executions, monitoring for NetSupport-related files, and watching for suspicious autorun changes. Endpoint Detection and Response (EDR) solutions, alongside updated threat intelligence, remain key defenses.

As Bloody Wolf’s campaigns grow bolder and more sophisticated, their blend of social engineering and technical finesse serves as a stark reminder: In the digital wilderness, the wolves are getting smarter - so defenders must, too.

WIKICROOK

• NetSupport RAT: NetSupport RAT is a remote access tool often abused by hackers to secretly control computers and steal sensitive information.
• Spear: Spear phishing is a targeted cyberattack using personalized emails to trick specific individuals or organizations into revealing sensitive information.
• Java Loader: A Java Loader is a small Java program that delivers and launches malware on a victim’s system, often used in multi-stage cyberattacks.
• Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.
• Endpoint Detection and Response (EDR): Endpoint Detection and Response (EDR) are security tools that monitor computers for suspicious activity, but may miss browser-based attacks that leave no files.