Security analysts have observed a growing wave of spear phishing attacks linked to a hacking group known as Bloody Wolf, which has been active since late 2023. The group has mainly targeted organizations in Kazakhstan and Russia using tools such as STRRAT and NetSupport, and investigators say its activities are expanding further into Central Asia.
Recent activity shows that entities in Kyrgyzstan and Uzbekistan are now being targeted through similar initial access methods. The attackers often impersonate trusted government ministries in phishing emails that contain harmful links or attachments. These messages attempt to convince recipients to open weaponized files that trigger the download of malicious Java archive loader files and prompt users to install Java Runtime under the false pretext of viewing documents.
Once the loader runs, it retrieves the next stage payload, which is the NetSupport RAT, from attacker-controlled infrastructure. It also sets up long term access on the device by creating a scheduled task, adding an entry to the Windows Registry, and placing a batch script inside the folder named %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. This ensures that the malware activates each time the system starts, allowing the group to maintain persistence on targeted networks.
The phase of the campaign focused on Uzbekistan includes a geofencing system that redirects users outside the country to a legitimate website, while users inside Uzbekistan receive a malicious JAR file through an embedded link in a PDF. Analysts noted that the JAR loaders used in these attacks are created with Java 8, released in 2014, and are likely generated through a custom tool. The NetSupport RAT deployed by the attackers is an old version dating back to 2013. According to a security research team, “Bloody Wolf has demonstrated how low cost, commercially available tools can be weaponized into sophisticated, regionally targeted cyber operations,” highlighting the group’s ability to exploit trust in government institutions and rely on simple JAR based loaders to spread across the Central Asian cybersecurity landscape.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
