Kaspersky has shed light on a persistent phishing campaign tied to the threat actor Bloody Wolf (tracked by Kaspersky as Stan Ghouls), which has been quietly infecting systems across Central Asia and parts of Eastern Europe since at least 2023. The group has now shifted to deploying NetSupport RAT, a legitimate remote administration tool that's increasingly abused for malicious remote control.
The campaign has hit roughly 50 victims in Uzbekistan and about 10 in Russia, with smaller numbers in Kazakhstan, Turkey, Serbia, and Belarus. Targets include government agencies, logistics firms, medical facilities, educational institutions, and most tellingly financial and IT organizations. Kaspersky has suggested that the primary objective of this hacker group is financial gain with the emphasis placed on bank and finance targets, but their use of RATs could allow for espionage-type data gathering as well.
This change in strategy for Bloody Wolf is a significant change of direction. Earlier attacks (documented by Group-IB in November 2025) used STRRAT (Strigoi Master) via phishing. Now the group favors straightforward spear-phishing emails carrying malicious PDF attachments.
Once you click a link in the PDF, it launches an elaborate multi-stage loader that:
1. Initially shows you a realistic-looking error message ("This application cannot run on your PC") to deflect your suspicions.
2. After showing you the fake error message, it checks how many previous attempts to infect the device have been made (capped at three) so as not to show up too many times otherwise it will respond with "Attempt limit reached. Please try again using a different machine."
3. Downloads and executes NetSupport RAT from one of several attacker-controlled domains.
4. Establishes persistence through multiple redundant methods: Startup folder scripts, Registry Run keys pointing to "run.bat", and scheduled tasks that periodically relaunch the same batch file.
Kaspersky also spotted Mirai botnet payloads staged on Bloody Wolf infrastructure, hinting the group may be branching into IoT exploitation for DDoS or proxy networks.
The campaign's volume over 60 confirmed infections is unusually high for what appears to be a targeted operation, suggesting significant resources and automation behind the scenes.
The disclosure arrives amid a broader uptick in activity against Russian targets:
1. ExCobalt (one of Positive Technologies' "most dangerous" groups hitting Russia) has shifted from exploiting internet-facing 1-days (e.g., Exchange) to compromising contractors for initial access. Tools include CobInt backdoor, Babuk/LockBit lockers, PUMAKIT kernel rootkit (evolved from Facefish/Kitsune/Megatsune lineages), and Octopus Rust-based Linux privilege-escalation toolkit. They also inject malicious JS into Outlook Web Access login pages and steal Telegram credentials/history.
2. Punishing Owl is an alleged politically motivated hacktivists group, operating since December 2025. They target the Russian state, scientists, and IT organizations, using a method of fishing for passwords with a password protected zip file that contains a link to a .pdf (or any other kind) file. The link is actually a ZipWhisper stealer that will collect and transfer data out of the targeted system, being leaked to the dark web. They have a social media account that is being administered by someone in Kazakhstan.
3. Vortex Werewolf (exposed late 2025 by Cyble and Seqrite as Operation SkyCloak) targets Russia and Belarus to deploy Tor and OpenSSH for persistent, stealthy remote access.
The overlap of multiple campaigns shows there are multiple people who want to exploit certain areas and tactics: phishing, abusing legitimate tools in an improper way, and compromising contractors. There are several different actors trying to exploit these same tactics and areas - financially motivated criminal organizations, espionage organizations affiliated with governments worldwide, and hacktivists.
If you are in any of the affected areas, especially Uzbekistan, Russia, or Kazakhstan, you should heed the following points as a means of helping protect your organization:
1. When you receive unsolicited PDFs or links from someone you do not know, treat them as high risk and verify the identity of the person who sent the email (this should be done outside of the email).
2. Use AppLocker or endpoint security policy to try to block the execution of LNK files from archives.
3. Review NetSupport processes for anything unusual in their parent/child relationships or network connections.
4. Implement multi-factor authentication (MFA) wherever possible, restrict RDP and SSH exposure, and conduct ongoing reviews of scheduled tasks and startup folders.
5. Watch for indicators of Mirai on Internet of Things (IoT) and edge devices.
The transition by Bloody Wolf to using NetSupport is further evidence of how attackers are continuing to exploit "living off the land" binaries to blend into normal administrative workflows, which makes them more difficult to detect, but not impossible through behavioral monitoring.
Source: The Hacker News
February 09, 2026
February 09, 2026
February 09, 2026
December 09, 2024
January 07, 2026
January 31, 2026
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
