Spear-phishing by Bloody Wolf has infiltrated manufacturing, finance, IT, government, logistics, medical, and educational organizations primarily in Uzbekistan and Russia. The NetSupport RAT campaign leverages a legitimate remote tool for persistent access, endangering system integrity and data confidentiality.
Kaspersky reports around 50 victims in Uzbekistan, 10 in Russia, with smaller numbers in Kazakhstan, Turkey, Serbia, and Belarus since 2023.
Campaign Evolution
The group, active from at least 2023, previously used STRRAT but now favors NetSupport for blending with normal admin activity. Group-IB noted similar Kyrgyzstan attacks in November 2025. Emails mimic official documents like Ministry of Justice notices in local languages, containing PDFs with malicious links.
Clicking triggers Java-based loaders that display fake errors, enforce install limits, download RAT payloads, and set persistence through startup folders, registry keys, and scheduled tasks named run.bat.
Victim Breakdown
Kaspersky observations detail infection distribution across regions and sectors.
| Country | Estimated Victims | Primary Sectors Affected |
|---|---|---|
| Uzbekistan | 50 | Finance, Government, IT |
| Russia | 10 | Manufacturing, Logistics |
| Kazakhstan | Minor | Medical, Education |
| Others | Minor | Various |
No CVEs are associated with this social engineering vector.
Infrastructure Insights
Attack infrastructure employs geo-fencing: Uzbekistan requests redirect outsiders to legitimate sites like data.egov.uz while serving JAR loaders to locals. Custom JAR generators produce small Java 8 files for payload delivery. Kaspersky found Mirai botnet artifacts on related domains, indicating potential IoT expansion and broader operational risks to network availability.
Broader Threat Landscape
This fits rising campaigns against Russian targets. ExCobalt shifts to contractor credentials over exploits, using backdoors like CobInt and rootkits such as PUMAKIT. Punishing Owl leaks state data via LNK stealers; Vortex Werewolf installs Tor for access. Such patterns heighten confidentiality threats in Central Asia.
The NetSupport RAT campaign sustains unauthorized control, disrupting operations and enabling exfiltration. Kaspersky highlights resource scale for targeted volume, urging phishing awareness over patches for this non-vulnerability path.
No Comment! Be the first one.