The cyber threat actor known as Bloody Wolf has been linked to a campaign targeting Kyrgyzstan since at least June 2025, aiming to deploy the NetSupport Remote Access Trojan (RAT). Recent activities have expanded to specifically include Uzbekistan, as reported by Group-IB researchers amid a joint effort with Ukuk, a state entity under the Prosecutor General’s office of Kyrgyzstan. The attacks primarily focus on sectors such as finance, government, and information technology (IT).
Employing social engineering tactics, these threat actors impersonate Kyrgyzstan’s Ministry of Justice through misleading PDF documents and similar domain names, which host Java Archive (JAR) files meant to deliver the NetSupport RAT. This strategic blend of social engineering and readily available tools allows Bloody Wolf to operate effectively while maintaining a low profile.
Bloody Wolf, an unidentified hacking group, has previously engaged in spear-phishing attacks aimed at Kazakhstan and Russia, utilizing tools like STRRAT and NetSupport since at least late 2023. The tactics employed in Kyrgyzstan and Uzbekistan include impersonating trusted government offices in phishing emails intended to spread malware.
The attack mechanism typically involves the recipient being tricked into clicking links that download malicious JAR files, accompanied by directives to install Java Runtime. Although the message suggests that the installation is necessary for viewing documents, it actually executes the malicious loader, which later retrieves the NetSupport RAT payload from compromised servers to establish persistence through various methods including:
- Creating scheduled tasks
- Modifying Windows Registry values
- Dropping batch scripts in the "%APPDATA%MicrosoftWindowsStart MenuProgramsStartup" directory.
Notably, in this expanded campaign within Uzbekistan, there have been geofencing restrictions that reroute requests from outside the country to the legitimate government website, while requests originating within Uzbekistan lead to the download of the malicious JAR file.
The JAR loaders used in these campaigns are reportedly built with Java 8, and it is suspected that the attackers are employing a proprietary JAR generator. The NetSupport RAT payload is an outdated version from October 2013.
Group-IB highlighted how Bloody Wolf has leveraged affordable, commercially accessible tools to orchestrate sophisticated, regionally focused cyber operations. By exploiting the trust placed in government institutions and using simple JAR-based loaders, the group has successfully established a strong presence in the Central Asian cyber threat landscape.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.