Kaspersky reported that the threat actor Bloody Wolf—tracked by the vendor as Stan Ghouls—is running a spear-phishing campaign primarily targeting organizations in Uzbekistan and Russia, with additional, lower-volume activity observed in other countries. The activity, ongoing since at least 2023, has targeted sectors including manufacturing, finance, and IT, and has also been observed hitting government, logistics, healthcare, and education entities. Reported victim counts for the current wave are on the order of 50+ in Uzbekistan and ~10 in Russia, with the actor assessed as likely financially motivated, though the heavy use of remote-access tooling may also support espionage objectives.
The intrusion chain relies on phishing emails carrying malicious PDF lures (e.g., court/government-themed documents) that embed links leading to a downloader/loader, after which the actor deploys NetSupport RAT (a legitimate remote administration tool) for remote control—representing a shift from prior use of STRRAT. Kaspersky noted the loader’s behavior includes user-deception (fake error messages) and basic execution controls (e.g., limiting repeated installation attempts), while another reported lure uses a social-engineering pretext that victims must install a Java Runtime Environment update, ultimately delivering a malicious JAR—a technique Kaspersky described as a distinctive fingerprint for this actor. Prior related reporting cited phishing activity in Kyrgyzstan distributing similar tooling, indicating a broader regional focus beyond the current Uzbekistan/Russia emphasis.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publicly reported the campaign, describing the loader's execution checks, fake error display, NetSupport download process, rotating command-and-control domains, and persistence via Startup folder scripts, HKCU Run registry entries, and scheduled tasks. The company also noted Mirai-related files on infrastructure tied to prior Bloody Wolf activity, suggesting possible but unconfirmed IoT expansion or shared infrastructure.
Reporting on the campaign said the most recent wave affected nearly 60 organizations, including about 50 victims in Uzbekistan and 10 in Russia, with additional infections observed in Kazakhstan, Turkey, Serbia, and Belarus.
The latest campaign used localized phishing emails, including Uzbek-language lures posing as court or government notices, to trick victims into opening malicious PDF decoys and downloading a JAR-based loader. The activity primarily targeted organizations in Uzbekistan and Russia across sectors including manufacturing, finance, IT, government, logistics, medical, and education.
In a newer wave of activity, the group moved away from using custom trojans such as STRRAT and adopted a living-off-the-land approach, using a Java-based loader to install the legitimate NetSupport remote administration tool for stealthier access.
Kaspersky-linked reporting says the threat actor known as Stan Ghouls, also called Bloody Wolf, has been active since at least 2023, targeting organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan, with additional lower-volume activity elsewhere.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.