The notorious threat actor known as Bloody Wolf has been identified as the perpetrator behind a sophisticated cyber campaign aimed at infiltrating systems in Uzbekistan and Russia with a malicious remote access trojan dubbed NetSupport RAT.

Security experts at Kaspersky have been closely monitoring this malicious activity, attributing it to a group they have dubbed Stan Ghouls. The threat actor, operating since at least 2023, has been carrying out targeted spear-phishing attacks primarily against industries in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.

The impact of this campaign has been significant, with approximately 50 victims in Uzbekistan and 10 devices in Russia falling prey to the attacks. Additional infections have been detected, albeit to a lesser extent, in countries such as Kazakhstan, Turkey, Serbia, and Belarus. The targets of these attacks range from government institutions to logistics firms, healthcare facilities, and educational establishments.

According to Kaspersky, the primary motivation behind Stan Ghouls’ actions appears to be financial gain, given their focus on financial institutions. However, the heavy use of remote access trojans suggests potential involvement in cyber espionage activities as well.

Interestingly, the use of NetSupport RAT marks a departure from the threat actor’s previous tactics, which involved leveraging STRRAT (also known as Strigoi Master) in their operations. In a separate incident in November 2025, Group-IB documented phishing attacks in Kyrgyzstan aimed at distributing this malicious tool.

The modus operandi of the attackers is relatively straightforward, with phishing emails containing malicious PDF attachments serving as the initial point of entry for the malware. These PDF documents contain embedded links that, once clicked, initiate the download of a malicious loader responsible for various tasks:

• Displaying a fake error message to deceive the victim into believing the application cannot run on their system.
• Checking the number of previous RAT installation attempts and limiting further installations to prevent detection.
• Downloading the NetSupport RAT from external domains and executing it on the compromised system.
• Ensuring the persistence of NetSupport RAT by configuring autorun scripts, adding launch scripts to the Registry, and creating scheduled tasks for continuous execution.

Kaspersky’s investigation also uncovered Mirai botnet payloads associated with Bloody Wolf, indicating a potential expansion of their malware arsenal to target Internet of Things (IoT) devices.

With a significant number of targets affected by these attacks, Kaspersky emphasized the substantial resources dedicated to Stan Ghouls’ operations. This revelation comes amidst a series of cyber campaigns targeting Russian organizations, including those orchestrated by ExCobalt, known for exploiting security vulnerabilities and stolen credentials to infiltrate networks.

Positive Technologies has identified the adversary as one of the “most dangerous groups” targeting Russian entities, employing a range of tools and techniques to achieve their objectives. These tactics include stealing Telegram credentials, compromising Outlook Web Access, and deploying various malware strains such as CobInt, Lockers like Babuk and LockBit, PUMAKIT rootkit, and the Rust-based Octopus toolkit.

Furthermore, state institutions, scientific enterprises, and IT organizations in Russia have been under siege from a newly emerged threat actor named Punishing Owl. This politically motivated hacktivist group, active since December 2025, has been implicated in data theft incidents, with data leaks occurring on the dark web. The attacks by Punishing Owl involve phishing emails with password-protected ZIP archives containing malicious payloads designed to steal sensitive data.

Another threat cluster known as Vortex Werewolf has also targeted Russia and Belarus, with a focus on establishing persistent remote access through Tor and OpenSSH. This campaign, previously exposed in November 2025, has been attributed to Operation SkyCloak by cybersecurity researchers.