Sign in Subscribe

Bloody Wolf Group Attacks Kyrgyzstan and Uzbekistan Using NetSupport RAT

Bloody Wolf Group Attacks Kyrgyzstan and Uzbekistan Using NetSupport RAT

Specialists at Group-IB documented new attacks by the hacker group Bloody Wolf, which has been targeting Kyrgyzstan since June 2025 and expanded its activity to Uzbekistan in October. The financial sector, government agencies, and IT companies are at risk.

Per the researchers, the attackers impersonate the Ministry of Justice of Kyrgyzstan: they use fake PDF documents and domains that appear legitimate but actually distribute Java Archives (JAR) containing NetSupport RAT malware.

Threat Actor Background

Bloody Wolf has been active since at least late 2023. Previously, the group targeted Kazakhstan and Russia, distributing STRRAT and NetSupport via phishing. The geographical scope of the attackers has expanded to Central Asia, but their tactics remain the same: in emails, the group impersonates representatives of government agencies, aiming to trick the victim into opening a malicious attachment.

Attack Chain

The attack scheme is straightforward. The victim receives an email with a link to a supposedly important document. Clicking the link downloads a JAR file along with instructions to install Java Runtime. The email claims Java is needed to view the files, when in reality the loader downloads NetSupport RAT from the hackers' server and establishes persistence in the system through three methods simultaneously: via a scheduled task, a Windows registry entry, and a BAT file in the startup folder.

Geofencing Tactics

Per Group-IB experts, during attacks on Uzbek organizations, the hackers used geofencing: if a request did not originate from Uzbekistan, the victim was redirected to the legitimate website data.egov.uz. However, requests from within the country triggered the download of a JAR file via a link embedded in the PDF.

Technical Analysis

All JAR loaders used by the group are compiled with an old version of Java 8 (released in March 2014). Specialists believe the group has its own generator or template for creating such files. The version of the NetSupport malware is also dated, from October 2013.

The researchers conclude that Bloody Wolf demonstrates how even inexpensive, commercial tools can become effective weapons for targeted and sophisticated attacks.