Bloody Wolf

Bloody Wolf, also tracked by Kaspersky as Stan Ghouls, is a cybercriminal threat actor active since at least 2023. The group has conducted targeted spear-phishing campaigns against organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan, with reporting also describing activity primarily against Uzbekistan and Russia and later expansion in Central Asia. Targeted sectors and entity types directly mentioned in the reporting include manufacturing, finance, IT, government, logistics, medical, education, and justice-related organizations. The group’s campaigns deliver remote access malware, most notably NetSupport RAT through abuse of the legitimate NetSupport Manager tool. Reporting states Bloody Wolf previously used STRRAT (Strigoi Master) and later shifted to NetSupport. Initial access commonly involves localized spear-phishing emails, including Uzbek- and Kyrgyz-language lures, impersonating government, judicial, legal, or Ministry of Justice entities. The emails contain malicious PDF attachments or decoy PDFs with links that lead victims to download a custom Java-based JAR loader. The loader displays fake error messages, checks execution conditions, and in some reporting limits installation attempts to fewer than three before terminating. The Java loader downloads NetSupport components from attacker-controlled external domains, with reporting noting frequent command-and-control domain rotation and new domains registered for campaigns. Persistence mechanisms directly described include batch scripts placed in the Windows Startup folder, Registry Run key entries, and scheduled tasks that execute the NetSupport launch script at logon. Once installed, NetSupport provides the attackers with full remote control of victim machines. Victimology described in the reporting includes roughly 50 victims in Uzbekistan and about 10 in Russia in one campaign, with over 60 total targets or victims reported overall. Additional lower-volume infections were reported in Kazakhstan, Turkey, Serbia, Belarus, and in some reporting activity against Kyrgyzstan since at least June 2025, later expanding to Uzbekistan by October 2025. One report states the Uzbekistan phase used geofencing, redirecting requests from outside Uzbekistan to a legitimate site while serving the malicious JAR to local users. Kaspersky assessed the likely primary motive as financial gain, particularly given targeting of financial institutions, while also noting that the heavy use of RATs could indicate possible espionage. Reporting also notes Mirai botnet payloads staged on infrastructure associated with Bloody Wolf, suggesting possible but unconfirmed expansion toward IoT targeting or shared infrastructure. Known aliases: Stan Ghouls.