Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html
Publish Date: 2026-02-09 05:58:00
Source Domain: thehackernews.com
The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan known as NetSupport RAT.
Cybersecurity vendor Kaspersky is tracking the activity under the moniker Stan Ghouls. The threat actor is known to be active since at least 2023, orchestrating spear-phishing attacks against manufacturing, finance, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.
The campaign is estimated to have claimed about 50 victims in Uzbekistan, with 10 devices in Russia also impacted. Other infections have been identified to a lesser degree in Kazakhstan, Turkey, Serbia, and Belarus. Infection attempts have also been recorded on devices within government organizations, logistics companies, medical facilities, and educational institutions.
“Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain,” Kaspersky noted. “That said, their heavy use of RATs may also hint at cyber espionage.”
The misuse of NetSupport, a legitimate remote administration tool, is a departure for the threat actor, which previously leveraged STRRAT (aka Strigoi Master) in its attacks. In November 2025, Group-IB documented phishing attacks aimed at entities in Kyrgyzstan to distribute the tool.
The attack chains are fairly straightforward in that phishing emails loaded with malicious PDF attachments are used as a launchpad to trigger the infection. The PDF documents embed links that, when clicked, lead to the download of a malicious loader that handles multiple tasks –
- Display a fake error message to give the impression to the victim that the application can’t run on their machine.
- Check if the number of previous RAT installation attempts is less than three. If the number has reached or exceeded the limit, the loader throws an error message: “Attempt limit reached. Try another…
