Threat Intelligence

Bloody Wolf targets Uzbekistan and Russia with NetSupport RAT

The Hacker News reports that the threat actor known as Bloody Wolf, tracked by Kaspersky as Stan Ghouls, has been linked to a sophisticated campaign targeting Uzbekistan and Russia, infecting systems with the NetSupport RAT. This actor has been active since at least 2023, employing spear-phishing tactics across manufacturing, finance, and IT sectors.

The campaign has impacted approximately 50 victims in Uzbekistan and 10 in Russia, with lesser infections in Kazakhstan, Turkey, Serbia, and Belarus. Targeted entities include government organizations, logistics companies, medical facilities, and educational institutions. The primary motive is believed to be financial gain, though cyber espionage is also a possibility due to the heavy use of RATs. The attack chain typically begins with phishing emails containing malicious PDF attachments. These PDFs link to a loader that displays a fake error message, checks previous RAT installation attempts, downloads NetSupport RAT from external domains, and establishes persistence through startup scripts, registry keys, and scheduled tasks.

Additionally, Mirai botnet payloads have been found on infrastructure associated with Bloody Wolf, suggesting a potential expansion into IoT device targeting. This activity coincides with other campaigns against Russian organizations, such as those by ExCobalt, which exploit known vulnerabilities and stolen credentials. 

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds