Kaspersky exposes sophisticated spear-phishing campaign targeting Uzbekistan and Russia with NetSupport RAT, signaling evolving tactics in financially motivated attacks.
Security researchers at Kaspersky have uncovered an ongoing cyber campaign targeting organizations across Uzbekistan, Russia, and neighboring countries. Dubbed 'Stan Ghouls' by analysts, the threat actor Bloody Wolf has infected approximately 60 systems using a weaponized version of NetSupport RAT disguised within phishing emails.
"Given Stan Ghouls' targeting of financial institutions, we believe their primary motive is financial gain," Kaspersky stated in their technical analysis. "Their heavy use of RATs may also hint at cyber espionage capabilities." The campaign marks a tactical shift for Bloody Wolf, which previously relied on STRRAT malware according to Group-IB research from November 2025.
The attack sequence begins with PDF attachments in phishing emails containing embedded malicious links. When clicked, these links trigger a multi-stage infection process:
- Displays fake error messages to deceive victims
- Verifies infection attempt limits (fails after three tries)
- Downloads NetSupport RAT from compromised domains
- Establishes persistence through:
- Startup folder autorun scripts
- Registry key modifications
- Scheduled task creation
Kaspersky also discovered Mirai botnet payloads on Bloody Wolf's infrastructure, suggesting potential expansion into IoT device targeting. "With over 60 targets hit, this is remarkably high volume for a sophisticated campaign," researchers noted, indicating significant resource investment.
This campaign coincides with increased attacks against Russian organizations by multiple threat groups:
- ExCobalt: Compromises contractors to breach networks, using tools including CobInt backdoor and PUMAKIT rootkit
- Punishing Owl: Hacktivist group leaking stolen data via phishing LNK files delivering ZipWhisper stealer
- Vortex Werewolf: Deploys Tor/OpenSSH for persistent access in Russia/Belarus
Practical Defense Recommendations
- Email Filtering: Implement advanced detection for PDFs with embedded links using services like Microsoft Defender for Office 365
- Application Control: Restrict unauthorized RMM tools via Group Policy or tools like AppLocker
- Registry Monitoring: Deploy endpoint detection that alerts on suspicious autorun key modifications
- Network Segmentation: Isolate IoT devices from critical networks using VLANs
- User Training: Conduct phishing simulations focusing on PDF/link verification using platforms like KnowBe4
Organizations in affected regions should prioritize these measures, particularly in finance, government, and critical infrastructure sectors. Regular threat hunting for NetSupport RAT artifacts (run.bat, NetSupport executables) is advised, alongside reviewing Microsoft's enterprise RMM security guidelines.
Image: Kaspersky's visualization of Bloody Wolf's attack chain showing PDF-to-RAT infection flow
Comments
Please log in or register to join the discussion