A cyber threat actor known as Bloody Wolf has been identified as the source of a spear-phishing campaign targeting organizations in Uzbekistan and Russia. The campaign aims to infect computer systems with a remote access trojan called NetSupport RAT, according to cybersecurity researchers.

The activity, which cybersecurity firm Kaspersky tracks under the name Stan Ghouls, has been active since at least 2023. The threat actor has focused on sectors including manufacturing, finance, and information technology.

Campaign Details and Infection Method

The attackers initiate their campaign with carefully crafted spear-phishing emails. These emails are designed to appear legitimate and are tailored to specific individuals or organizations. The messages typically contain malicious attachments or links.

When a target opens the attachment or clicks the link, the NetSupport RAT malware is deployed onto their system. This type of malware provides the attacker with full remote control over the compromised computer. It allows them to steal files, capture keystrokes, and use the system as a foothold for further attacks within a network.

Significance of the NetSupport Tool

NetSupport Manager is a legitimate commercial remote administration tool used by IT professionals for technical support. However, threat actors frequently abuse such legitimate software because it is less likely to be flagged by traditional antivirus programs.

By using a known, signed application, attackers can often bypass initial security defenses. Once installed, they configure the tool to operate stealthily, establishing a persistent backdoor into the victim’s environment. This tactic, known as “living off the land,” is common among advanced persistent threat groups.

Regional Focus and Potential Motives

The specific targeting of entities in Uzbekistan and Russia suggests a clear geographical intent. While the exact motives of the Bloody Wolf group are not publicly confirmed, such campaigns often aim at espionage, intellectual property theft, or financial gain.

Targeting the manufacturing and finance sectors aligns with common cybercriminal and state sponsored objectives. These sectors hold valuable proprietary data, financial transaction information, and sensitive operational technology.

Broader Threat Landscape Context

This campaign is part of a wider trend where cybercriminals and advanced actors leverage readily available tools for malicious purposes. The use of spear phishing remains a highly effective initial attack vector, relying on social engineering rather than complex technical exploits.

Organizations worldwide are advised to treat such reports as a reminder to bolster their human and technical defenses. Employee training on identifying phishing attempts is considered a critical first layer of security.

Recommended Defensive Measures

Security analysts recommend several steps to mitigate risks from such threats. These include implementing robust email filtering solutions, applying the principle of least privilege to user accounts, and maintaining strict patch management policies.

Network monitoring for unusual remote desktop or remote administration tool traffic is also advised. Organizations should consider application allow listing to prevent the execution of unauthorized software, including legitimate tools used maliciously.

Ongoing Investigations and Future Outlook

Kaspersky and other security vendors continue to monitor the activities of the Bloody Wolf group. The campaign’s infrastructure and tactics are being analyzed to develop more specific detection rules and indicators of compromise.

It is expected that the threat actor will continue to refine its spear phishing lures and may shift targets or tools based on perceived success and defensive actions. Law enforcement and international cybersecurity agencies often collaborate on tracking such cross border threats, though public disclosures of these investigations typically follow a longer timeline. Organizations in the targeted regions and sectors are likely to receive more detailed threat intelligence briefings in the coming weeks.

Source: Adapted from cybersecurity reporting.