The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan known as NetSupport RAT.
Cybersecurity vendor Kaspersky is tracking the activity under the moniker Stan Ghouls. The threat actor is known to be active since at least 2023, orchestrating spear-phishing attacks against manufacturing, finance, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.
The campaign is estimated to have claimed about 50 victims in Uzbekistan, with 10 devices in Russia also impacted. Other infections have been identified to a lesser degree in Kazakhstan, Turkey, Serbia, and Belarus. Infection attempts have also been recorded on devices within government organizations, logistics companies, medical facilities, and educational institutions.
“Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain,” Kaspersky noted. “That said, their heavy use of RATs may also hint at cyber espionage.”
The misuse of NetSupport, a legitimate remote administration tool, is a departure for the threat actor, which previously leveraged STRRAT (aka Strigoi Master) in its attacks. In November 2025, Group-IB documented phishing attacks aimed at entities in Kyrgyzstan to distribute the tool.
The attack chains are fairly straightforward in that phishing emails loaded with malicious PDF attachments are used as a launchpad to trigger the infection. The PDF documents embed links that, when clicked, lead to the download of a malicious loader that handles multiple tasks –
- Display a fake error message to give the impression to the victim that the application can’t run on their machine.
- Check if the number of previous RAT installation attempts is less than three. If the number has reached or exceeded the limit, the loader throws an error message: “Attempt limit reached. Try another computer.”
- Download the NetSupport RAT from one of the several external domains and launch it.
- Ensure NetSupport RAT’s persistence by configuring an autorun script in the Startup folder, adding a NetSupport launch script (“run.bat”) to the Registry’s autorun key, and creating a scheduled task to trigger the execution of the same batch script.
Kaspersky said it also identified Mirai botnet payloads staged on infrastructure associated with Bloody Wolf, raising the possibility that the threat actor may have expanded its malware arsenal to target IoT devices.
“With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign,” the company concluded. “It points to the significant resources these actors are willing to pour into their operations.”
The disclosure coincides with a number of cyber campaigns targeting Russian organizations, including those conducted by ExCobalt, which has leveraged known security flaws and credentials stolen from contractors to obtain initial access to target networks. Positive Technologies described the adversary as one of the “most dangerous groups” attacking Russian entities.
The attacks are characterized by the use of various tools, along with attempts to siphon Telegram credentials and message history from the compromised hosts and Outlook Web Access credentials by injecting malicious code into the login page –
- CobInt, a known backdoor used by the group.
- Lockers such as Babuk and LockBit.
- PUMAKIT, a kernel rootkit to escalate privileges, hide files and directories, and conceal itself from system tools, along with prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023). The use of Kitsune was also linked to a threat cluster known as Sneaky Wolf (aka Sneaking Leprechaun) by BI.ZONE.
- Octopus, a Rust-based toolkit that’s used to elevate privileges in a compromised Linux system.
“The group changed the tactics of initial access, shifting the focus of attention from the exploitation of 1-day vulnerabilities in corporate services available from the internet (e.g., Microsoft Exchange) to the penetration of the infrastructure of the main target through contractors,” Positive Technologies said.
State institutions, scientific enterprises, and IT organizations in Russia have also been targeted by a previously unknown threat actor known as Punishing Owl that has resorted to stealing and leaking data on the dark web. The group, suspected to be a politically motivated hacktivist entity, has been active since December 2025, with one of its social media accounts administered from Kazakhstan.
The attacks utilize phishing emails with a password-protected ZIP archive, which, when opened, contains a Windows shortcut (LNK) masquerading as a PDF document. Opening the LNK file results in the execution of a PowerShell command to download a stealer named ZipWhisper from a remote server to harvest sensitive data and upload it to the same server.
Another threat cluster that has trained its sights on Russia and Belarus is Vortex Werewolf. The end goal of the attacks is to deploy Tor and OpenSSH so as to facilitate persistent remote access. The campaign was previously exposed in November 2025 by Cyble and Seqrite Labs, with the latter calling the campaign Operation SkyCloak.