The menace actor referred to as Bloody Wolf has been attributed to a cyber assault marketing campaign that has focused Kyrgyzstan since a minimum of June 2025 with the objective of delivering NetSupport RAT.
As of October 2025, the exercise has expanded to additionally single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo stated in a report revealed in collaboration with Ukuk, a state enterprise beneath the Prosecutor Normal’s workplace of the Kyrgyz Republic. The assaults have focused finance, authorities, and data expertise (IT) sectors.
“These menace actors would impersonate the [Kyrgyzstan’s] Ministry of Justice via official wanting PDF paperwork and domains, which in flip hosted malicious Java Archive (JAR) recordsdata designed to deploy the NetSupport RAT,” the Singapore-headquartered firm stated.
“This mix of social engineering and accessible tooling permits Bloody Wolf to stay efficient whereas conserving a low operational profile.”
Bloody Wolf is the title assigned to a hacking group of unknown provenance that has used spear-phishing assaults to focus on entities in Kazakhstan and Russia utilizing instruments like STRRAT and NetSupport. The group is assessed to be lively since a minimum of late 2023.
The focusing on of Kyrgyzstan and Uzbekistan utilizing related preliminary entry methods marks an growth of the menace actor’s operations in Central Asia, primarily impersonating trusted authorities ministries in phishing emails to distribute weaponized hyperlinks or attachments.
The assault chains kind of observe the identical strategy in that the message recipients are tricked into clicking on hyperlinks that obtain malicious Java archive (JAR) loader recordsdata together with directions to put in Java Runtime.
Whereas the e-mail claims the set up is critical to view the paperwork, the truth is that it is used to execute the loader. As soon as launched, the loader then proceeds to fetch the next-stage payload (i.e., NetSupport RAT) from infrastructure that is beneath the attacker’s management and arrange persistence in 3 ways –
- Making a scheduled job
- Including a Home windows Registry worth
- Dropping a batch script to the folder “%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup”
The Uzbekistan part of the marketing campaign is notable for incorporating geofencing restrictions, thereby inflicting requests originating exterior of the nation to be redirected to the legit knowledge.egov[.]uz web site. Requests from inside Uzbekistan have been discovered to set off the obtain of the JAR file from an embedded hyperlink inside the PDF attachment.
Group-IB stated the JAR loaders noticed within the campaigns are constructed with Java 8, which was launched in March 2014. It is believed that the attackers are utilizing a bespoke JAR generator or template to spawn these artifacts. The NetSupport RAT payload is a previous model of NetSupport Supervisor from October 2013.
“Bloody Wolf has demonstrated how low-cost, commercially accessible instruments could be weaponized into subtle, regionally focused cyber operations,” it stated. “By exploiting belief in authorities establishments and leveraging easy JAR-based loaders, the group continues to take care of a robust foothold throughout the Central Asian menace panorama.”
