Full Report
The threat actor known as Bloody Wolf has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT. As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the
Analysis Summary
# Threat Actor: Bloody Wolf
## Attribution & Identity
* **Identification:** Hacking group of unknown provenance.
* **Known Aliases:** Bloody Wolf.
* **Known Associations:** Previously targeted entities in Kazakhstan and Russia (active since at least late 2023).
## Activity Summary
Bloody Wolf is attributed to a cyber attack campaign that began targeting **Kyrgyzstan** in at least June 2025 and expanded to **Uzbekistan** by October 2025. The primary objective of these campaigns is the delivery of the NetSupport RAT. The group leverages spear-phishing, impersonating trusted government ministries via official-looking PDF documents and domain names to deliver malicious Java Archive (JAR) files.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing via emails containing malicious PDF documents or links.
* **Delivery Mechanism:** Impersonating government entities (e.g., Kyrgyzstan's Ministry of Justice) to trick recipients into downloading and installing the necessary Java Runtime Environment (JRE) to subsequently execute malicious Java Archive (JAR) loader files.
* **Execution:** The JAR loader is executed, which then fetches the next-stage payload (NetSupport RAT).
* **Persistence Mechanisms:**
* Creating a scheduled task.
* Adding a Windows Registry value.
* Dropping a batch script to the startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`).
* **Geofencing (Uzbekistan Campaign):** Requests originating outside Uzbekistan are redirected to the legitimate data.egov[.]uz website, while local requests trigger the JAR file download.
## Targeting
* **Sectors:** Finance, Government, Information Technology (IT).
* **Geography:** Kyrgyzstan (since June 2025), Uzbekistan (since October 2025). Also previously targeted Kazakhstan and Russia.
* **Victims:** Unspecified entities within the targeted sectors in the specified countries.
## Tools & Infrastructure
* **Malware Families Used:**
* NetSupport RAT (an older version of NetSupport Manager from October 2013).
* STRRAT (previously used by the group).
* **Infrastructure:** Infrastructure under the attacker's control used to host the NetSupport RAT payload.
* **Other Components:** Bespoke JAR generator or template used to create weaponized Java Archive (JAR) loaders built with Java 8 (released March 2014).
## Implications
Bloody Wolf demonstrates the effectiveness of using low-cost, commercially available tools (like NetSupport Manager) when coupled with effective, region-specific social engineering tactics. Their ability to maintain a low operational profile while exploiting trust in government institutions suggests they remain a persistent and effective threat in the Central Asian landscape.
## Mitigations
* Heightened user awareness regarding spear-phishing, especially emails impersonating regional government ministries (Ministry of Justice, etc.).
* Scrutinize unsolicited requests for installing Java Runtime or opening attachments/links presented as official government documents.
* Monitor systems for persistence mechanisms such as new scheduled tasks, registry run keys, or new entries in the `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` folder.
* Block or scan Java Archive (JAR) file execution outside of strict operational necessity.