The risk actor often called Bloody Wolf has been attributed to a cyber assault marketing campaign that has focused Kyrgyzstan since at the least June 2025 with the aim of delivering NetSupport RAT.
As of October 2025, the exercise has expanded to additionally single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo stated in a report printed in collaboration with Ukuk, a state enterprise below the Prosecutor Normal’s workplace of the Kyrgyz Republic. The assaults have focused finance, authorities, and knowledge know-how (IT) sectors.
“These risk actors would impersonate the [Kyrgyzstan’s] Ministry of Justice via official wanting PDF paperwork and domains, which in flip hosted malicious Java Archive (JAR) information designed to deploy the NetSupport RAT,” the Singapore-headquartered firm stated.
“This mix of social engineering and accessible tooling permits Bloody Wolf to stay efficient whereas preserving a low operational profile.”
Bloody Wolf is the identify assigned to a hacking group of unknown provenance that has used spear-phishing assaults to focus on entities in Kazakhstan and Russia utilizing instruments like STRRAT and NetSupport. The group is assessed to be energetic since at the least late 2023.
The focusing on of Kyrgyzstan and Uzbekistan utilizing comparable preliminary entry strategies marks an growth of the risk actor’s operations in Central Asia, primarily impersonating trusted authorities ministries in phishing emails to distribute weaponized hyperlinks or attachments.
The assault chains kind of comply with the identical strategy in that the message recipients are tricked into clicking on hyperlinks that obtain malicious Java archive (JAR) loader information together with directions to put in Java Runtime.
Whereas the e-mail claims the set up is critical to view the paperwork, the truth is that it is used to execute the loader. As soon as launched, the loader then proceeds to fetch the next-stage payload (i.e., NetSupport RAT) from infrastructure that is below the attacker’s management and arrange persistence in 3 ways –
- Making a scheduled activity
- Including a Home windows Registry worth
- Dropping a batch script to the folder “%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup”
The Uzbekistan part of the marketing campaign is notable for incorporating geofencing restrictions, thereby inflicting requests originating exterior of the nation to be redirected to the reliable knowledge.egov[.]uz web site. Requests from inside Uzbekistan have been discovered to set off the obtain of the JAR file from an embedded hyperlink inside the PDF attachment.
Group-IB stated the JAR loaders noticed within the campaigns are constructed with Java 8, which was launched in March 2014. It is believed that the attackers are utilizing a bespoke JAR generator or template to spawn these artifacts. The NetSupport RAT payload is a previous model of NetSupport Supervisor from October 2013.
“Bloody Wolf has demonstrated how low-cost, commercially accessible instruments might be weaponized into subtle, regionally focused cyber operations,” it stated. “By exploiting belief in authorities establishments and leveraging easy JAR-based loaders, the group continues to take care of a robust foothold throughout the Central Asian risk panorama.”
