Full Report
The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan known as NetSupport RAT. Cybersecurity vendor Kaspersky is tracking the activity under the moniker Stan Ghouls. The threat actor is known to be active since at least 2023, orchestrating spear-phishing attacks against manufacturing, finance, and IT
Analysis Summary
# Threat Actor: Bloody Wolf
## Attribution & Identity
The threat actor is known by the moniker **Bloody Wolf**.
**Known Aliases/Associated Groups:** Tracked by Kaspersky under the alias **Stan Ghouls**.
**Activity Since:** At least 2023.
## Activity Summary
Bloody Wolf has been conducting campaigns targeting organizations primarily in Uzbekistan and Russia, noted for orchestrating spear-phishing attacks. The recent campaign involved infecting systems with the NetSupport RAT. The actor has consistently targeted sectors including manufacturing, finance, and IT in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan. Kaspersky noted over 60 targets hit in this activity, which is considered a remarkably high volume for a sophisticated targeted campaign. The actor previously leveraged the STRRAT (Strigoi Master) malware in attacks documented in November 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via emails containing malicious PDF attachments.
- **Execution:** PDF documents embed links that download a malicious loader.
- **Defense Evasion/Execution:** The loader displays a fake error message to mislead the victim.
- **Execution Control:** The loader checks for previous RAT installation attempts, limiting execution to less than three attempts before showing an error ("Attempt limit reached. Try another computer.").
- **Command and Control/Persistence:**
- Downloads and launches NetSupport RAT.
- Ensures persistence by configuring an autorun script in the Startup folder.
- Adds a NetSupport launch script ("run.bat") to the Registry's autorun key.
- Creates a scheduled task to trigger the execution of the "run.bat" script.
## Targeting
- **Sectors:** Manufacturing, Finance, IT, government organizations, logistics companies, medical facilities, and educational institutions.
- **Geography:** Primary targeting in **Uzbekistan** (estimated 50 victims) and **Russia** (10 devices impacted). Secondary infections noted in Kyrgyzstan, Kazakhstan, Turkey, Serbia, and Belarus.
- **Victims:** Specific organizations were not named beyond sector affiliation.
## Tools & Infrastructure
- **Malware Families Used:**
- **NetSupport RAT** (Primary tool in the recent campaign).
- **STRRAT (Strigoi Master)** (Previously used).
- **Mirai botnet payloads** (Staged on associated infrastructure, suggesting possible IoT expansion).
- **Infrastructure:** Downloads for the NetSupport RAT sourced from **several external domains**. (No specific defanged URLs/IPs were provided in the context).
## Implications
The threat actor's motivation appears primarily to be **financial gain**, demonstrated by targeting financial institutions. However, the heavy reliance on RATs suggests a secondary possibility of **cyber espionage**. The high volume of successful infections (over 60 targets) suggests the actors possess significant resources. The staging of Mirai payloads indicates a potential expansion of capabilities towards IoT device targeting.
## Mitigations
- Implement robust email security filters to block malicious PDF attachments and suspicious external links common in spear-phishing campaigns.
- Monitor and restrict the use and deployment of legitimate remote administration tools like NetSupport RAT unless explicitly authorized and managed.
- Actively monitor and investigate unusual modifications to Registry autorun keys and the creation of scheduled tasks that execute batch scripts like "run.bat."
- Harden IoT device security if infrastructure overlaps with observed Mirai staging areas.