A sophisticated Advanced Persistent Threat group known as Bloody Wolf has intensified its cyber espionage operations across Central Asia, targeting government and private sectors.
Since late June 2025, the group has orchestrated spear-phishing campaigns primarily focusing on organizations within Kyrgyzstan and Uzbekistan.
By meticulously impersonating state entities such as the Ministry of Justice, the attackers successfully deceive victims into compromising their systems.
The primary vector involves weaponized PDF documents sent via email, mimicking official correspondence. These documents often bear titles suggesting urgent legal matters or case materials, compelling recipients to interact with embedded links.
Once clicked, these links initiate a multi-stage infection process designed to bypass traditional security defenses and establish long-term access to the victim’s network.
Group-IB security analysts identified this surge, noting the group shifted from commercial malware like STRRAT to deploying the legitimate, yet weaponized, NetSupport Remote Administration Tool.
This strategic pivot allows attackers to blend in with normal administrative traffic, making detection significantly more challenging for corporate security teams.
The campaigns demonstrate a high level of regional adaptation, including the use of local languages and geo-fencing techniques to restrict payload delivery to targets within specific countries.
The impact is profound, granting attackers full remote control over infected endpoints. This access facilitates data exfiltration, system inventory surveillance, and lateral movement within critical infrastructure networks.
Infection Chain
Bloody Wolf’s technical strategy relies on malicious Java Archive files to execute the payload. Victims interacting with the lure are prompted to update Java, a pretext masking the malicious loader’s execution.
The JAR files, compiled with Java 8, are unobfuscated but highly effective. In the Uzbekistan campaign, the infrastructure employed geo-fencing, where only requests originating from within the country triggered the download of the malicious JAR, while others were redirected to legitimate government portals.
.webp "Bloody Wolf Hackers Mimic as Government Agencies to Deploy NetSupport RAT via Weaponized PDF’s 3")
Once executed, the JAR loader ensures persistence through redundant methods. The malware drops a batch file into the Windows Startup folder and modifies registry keys, executing commands like cmd.exe to ensure the RAT launches upon reboot.
.webp "Bloody Wolf Hackers Mimic as Government Agencies to Deploy NetSupport RAT via Weaponized PDF’s 4")
Additionally, it creates a scheduled task using schtasks to guarantee execution. This redundancy ensures that the NetSupport RAT remains active on the system, allowing the attackers to maintain a persistent foothold while displaying fake error messages, to distract the user from the background malicious activity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
