A growing cyber espionage campaign linked to the threat group known as Bloody Wolf has widened its reach in Central Asia as the attackers continue delivering the NetSupport RAT through deceptive Java based loaders. The campaign, which initially focused on Kyrgyzstan in June 2025, has expanded to include Uzbekistan by October 2025, according to Group IB researchers Amirbek Kurbanov and Volen Kayo, in coordination with Ukuk, a state enterprise operating under the Prosecutor General office of the Kyrgyz Republic.
Finance, Government, and IT Sectors Targeted
Investigators report that the attacks have primarily affected organizations in the finance, government, and information technology sectors, where threat actors impersonated the official Ministry of Justice of Kyrgyzstan. The attackers distributed false PDF documents and used carefully crafted domain names to trick victims into downloading malicious Java Archive (JAR) files that ultimately installed the NetSupport RAT tool.
Group IB noted that this mix of social engineering and widely accessible software tools makes Bloody Wolf both low profile and highly effective.
Background of Bloody Wolf
Bloody Wolf is an unidentified hacking group that has been active since late 2023. The group has previously conducted spear phishing attacks against entities in Kazakhstan and Russia, using tools such as STRRAT and NetSupport. The move toward targeting Kyrgyzstan and Uzbekistan reveals a clear expansion of the group activity in Central Asia.
Phishing Emails Deliver JAR Loaders
The attackers rely on phishing emails that deceive users into clicking links that download JAR loader files. These emails claim that the user must install Java Runtime to open the attached documents. In reality, this installation executes the malicious loader.
Once activated, the loader retrieves the next stage payload from attacker controlled servers, installing the NetSupport RAT and creating persistence within the Windows system by:
- Creating a scheduled task
- Adding a Windows Registry entry
- Dropping a batch script inside the folder “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup”
Uzbekistan Campaign Uses Geofencing
The Uzbekistan phase of the operation features geofencing rules that redirect non Uzbek visitors to the legitimate site data.egov[.]uz. Users inside Uzbekistan receive a malicious JAR file through a link embedded in a PDF attachment.
Researchers observed that the JAR loaders were created using Java 8, a version released in March 2014. This suggests that the group uses a customized JAR generator or template. The NetSupport RAT included in the infection chain is also an outdated 2013 release of NetSupport Manager.
A Low Cost Approach With High Regional Impact
Group IB concluded that Bloody Wolf has shown how easily available, low cost tools can be converted into powerful targeted cyber operations, especially when combined with convincing impersonation of trusted government organizations. By relying on simple JAR based loaders and exploiting public trust, the group continues to strengthen its presence across Central Asia.
