A sustained cyber campaign has been traced to the threat actor known as Bloody Wolf, which has been targeting organisations in Uzbekistan and Russia using the NetSupport remote access trojan. The activity has been tracked by a cybersecurity firm under the name Stan Ghouls and has been active since at least 2023, focusing mainly on the manufacturing finance and IT sectors across multiple countries.
Investigators estimate around 50 victims in Uzbekistan and 10 affected devices in Russia. Smaller numbers of infections have also been observed in Kazakhstan, Turkey, Serbia and Belarus. Targets include government bodies logistics firms medical facilities and educational institutions. According to researchers the group appears financially motivated due to its focus on financial institutions though the extensive use of remote access tools also suggests possible cyber espionage. “Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain,” the company said, adding that espionage cannot be ruled out.
The campaign relies on spear phishing emails carrying malicious PDF attachments. These files contain links that lead victims to download a loader which displays fake error messages checks previous infection attempts and then downloads and launches NetSupport RAT. The malware ensures persistence by adding startup scripts registry entries and scheduled tasks. The use of NetSupport marks a shift from the group earlier reliance on STRRAT. Researchers also found Mirai botnet payloads hosted on related infrastructure suggesting an expanded malware toolkit. “With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign,” the firm noted.
The disclosure comes amid a rise in cyber activity against Russian entities. Other groups have been observed stealing credentials deploying ransomware and using kernel level rootkits and Linux based toolkits. Separate campaigns have also targeted Russia and Belarus using phishing emails and data stealing malware. Security experts say the shift toward attacking contractors and trusted partners highlights a changing approach to initial access. These overlapping campaigns underline the growing intensity and complexity of cyber threats in the region.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
