Bloody Wolf Expands NetSupport RAT Attacks in Central Asia

The Bloody Wolf cyber campaign has expanded into one of the most active and regionally focused intrusion operations in Central Asia. New research from Group-IB and state investigators in the Kyrgyz Republic reveals that the threat group has broadened its tactics, infrastructure, and geographic footprint throughout 2025. The campaign now spans Kyrgyzstan and Uzbekistan, using Java-based loaders and spear-phishing lures designed to imitate government ministries. These attacks deliver the NetSupport remote administration tool, enabling full command and control of infected systems across finance, government, and IT sectors.

This new activity offers one of the clearest public looks into how Bloody Wolf operates. It shows a group that is persistent, low-cost, and highly adaptive. Instead of relying on complex custom malware, the group uses simple Java Archive loaders, legitimate remote administration tools, and highly credible impersonation techniques that blend seamlessly into local government communications. The resulting intrusion chains are efficient, stealthy, and difficult for victims to distinguish from legitimate documents.

Inside the Expansion of the Bloody Wolf Campaign

The latest activity by Bloody Wolf marks a significant expansion from its earlier operations in Kazakhstan and Russia. Analysts have found that the group has shifted from opportunistic phishing to a sustained and well-planned campaign that leverages localized lures written in Russian, Kyrgyz, and Uzbek. These lures mimic government announcements, legal notifications, or ministry communications, enticing victims to open embedded links inside PDF documents distributed through spear-phishing emails.

Each link points to a Java Archive file hosted on attacker-controlled infrastructure. When executed, the JAR file displays a fake error message and silently downloads an older version of the NetSupport remote administration tool. The malware then attempts to establish persistence using scheduled tasks, registry keys, and startup folder batch scripts. All of these techniques allow the group to maintain long-term access to infected machines while remaining unnoticed by traditional antivirus tools.

The expansion of the campaign into Uzbekistan is particularly noteworthy. The infrastructure used in this phase includes geofencing controls that redirect foreign visitors to legitimate government websites. Only visitors within the targeted region receive the malicious payload. This targeting method shows that Bloody Wolf is not conducting mass spam campaigns but is focusing on specific organizations, locations, and language groups. This behavior aligns with the group’s historical emphasis on region-specific spear-phishing, social engineering, and low-cost intrusion tools.

A Look Into Bloody Wolf’s Infrastructure and Tools

The Bloody Wolf campaign provides a rare view into a threat group that has built a consistent and repeatable infection chain. While many advanced threat actors rely on sophisticated custom malware, Bloody Wolf takes an entirely different approach. Their strategy emphasizes accessibility and operational simplicity. The group uses a custom-made JAR generator that allows them to build large numbers of Java loaders quickly. These loaders contain different configuration values, fake error messages, and download paths, making each sample slightly different while retaining the same behaviors.

The JAR loaders used by Bloody Wolf rely on Java 8, a version released in 2014. By using old Java components, the attackers reduce the likelihood of detection and bypass many modern security filters. The loaders are small, minimally obfuscated, and focused on a single purpose. They download NetSupport, execute it, and set up persistence mechanisms. Because NetSupport is legitimate remote administration software, many defenders fail to recognize it as malicious, allowing Bloody Wolf to maintain long-term access to infected networks with a low operational footprint.

NetSupport RAT is central to the group’s operations. It provides remote desktop access, file transfer, system inventory, and control features that are normally used for IT support. When weaponized, it gives attackers full access to a victim’s system. Group-IB analysts discovered that Bloody Wolf uses older versions of NetSupport Manager from 2013. These versions circulate widely online and are easy to repurpose. By mixing legitimate software with minimal loader complexity, Bloody Wolf avoids creating a malware signature that defenders can easily track.

Government Impersonation and Social Engineering

The most effective component of the Bloody Wolf operation is its social engineering strategy. The group creates PDF lures that appear identical to official documents distributed by the Ministries of Justice in Kyrgyzstan and Uzbekistan. The documents contain stamps, headers, formal language, and embedded links designed to look like case files, ministry decisions, or legal statements.

These phishing emails are delivered to employees working in government agencies, financial institutions, and critical business sectors. Because the lures mimic real government processes, victims are likely to trust them. This makes the infection chain highly effective even without sophisticated technical exploits. The social engineering techniques used by Bloody Wolf reinforce that attackers do not always need new exploits to penetrate a system. They only need to exploit the trust users place in familiar government communication formats.

Stealth Through Local Language and Regional Focus

One of the most unusual characteristics of the Bloody Wolf group is its emphasis on localized targeting. While many global threat actors distribute campaigns in a single language, Bloody Wolf creates lure documents in Russian, Kyrgyz, and Uzbek, depending on the target. This multilingual capability increases credibility and allows the group to blend in with real local communications.

In the Uzbekistan phase of the campaign, the PDFs are written in Uzbek and include government terminology that reflects the country’s legal and administrative procedures. In Kyrgyzstan, the documents mirror the style and language of the official Ministry of Justice website. This level of tailoring indicates that the group is closely studying local government communication styles and updating its lures accordingly.

Such regionally tailored phishing campaigns are not accidental. They show a deeper operational understanding of the target environment and an intent to remain effective over time. This aligns with the historical operations of Bloody Wolf, where the group has consistently targeted Central Asian nations with small but persistent spear-phishing operations.

A Deepening Threat to Government and Finance

The targeting of government, financial, and IT sectors in Kyrgyzstan and Uzbekistan shows that Bloody Wolf is shifting toward more strategic objectives. The use of a legitimate remote administration tool like NetSupport suggests the group aims for long-term espionage, data harvesting, and internal reconnaissance. Once NetSupport is active, attackers can monitor user activity, capture sensitive information, and explore internal networks unnoticed.

Investigators believe that the group’s infrastructure is intentionally maintained at a low operational cost. The hosting used in the campaigns relies on inexpensive domains, shared hosting environments, and frequently rotated servers. These methods allow the group to launch, maintain, and expand its operations without drawing significant attention from global security researchers.

How the Java Loader Infection Chain Works

Bloody Wolf’s infection chain is simple but effective. The sequence typically looks like this:

• A spear-phishing email impersonates a government ministry and includes a PDF attachment.
• The PDF contains an embedded link labeled as case materials or legal documents.
• Clicking the link triggers the download of a Java Archive loader.
• The victim is instructed to install Java runtime to open the document.
• Once launched, the JAR loader shows a fake error message.
• The loader downloads NetSupport RAT from an attacker-controlled domain.
• The RAT is installed and added to startup through registry keys, scheduled tasks, and batch scripts.

The attack does not rely on zero-day vulnerabilities or complex exploits. Instead, it relies entirely on convincing social engineering and the victim’s willingness to open the malicious file. This infection chain has remained consistent throughout 2025 across multiple countries and multiple lure variants.

The Growing Trend of Low-Cost, High-Impact Tools

Bloody Wolf demonstrates a larger trend in the global threat landscape. Threat groups are increasingly shifting toward low-cost attack tools that deliver reliable results. By using legitimate remote administration software, simple Java loaders, and geofenced payload delivery, attackers can build stealthy campaigns with minimal effort.

These tools also lower the barrier to entry for threat actors. A small team with modest technical resources can create effective campaigns by exploiting trust and familiarity rather than relying on expensive infrastructure or custom malware families. This trend highlights an evolution in regional cyber operations. Instead of focusing on advanced exploits, groups like Bloody Wolf rely on consistency, precision, and realistic impersonation techniques that bypass traditional defenses.

Strategic Significance for Central Asia

The expansion of the Bloody Wolf campaign into Kyrgyzstan and Uzbekistan reflects the strategic importance of the region. Central Asian countries are undergoing rapid digital transformation in government services, finance, and IT infrastructure. These developments create new opportunities for espionage and influence operations. A threat campaign that focuses on government ministries, legal systems, and administrative structures can have significant long-term impact on national cybersecurity stability.

The choice to use government-themed lures suggests that Bloody Wolf understands how to exploit the trust citizens place in institutional communication. This risk is particularly severe in regions where digital literacy varies across sectors. By deploying minimal technical tools with highly convincing social engineering, the group can infiltrate sensitive networks without triggering antivirus alerts or detection systems.

Indicators of Compromise and Technical Evidence

The infrastructure associated with the Bloody Wolf campaign includes numerous malicious domains, geofenced payload servers, and Java loader hashes. These indicators span multiple stages of the infection chain, including downloader URLs, NetSupport payloads, and persistence mechanisms. The presence of repeated configuration structures across JAR samples suggests the use of a centralized tool for generating loaders. The wide variety of file hashes found by analysts demonstrates that the attackers are actively producing new samples for each phase of the campaign.

The use of geofencing is another significant indicator of the group’s regional focus. This targeting method has become more common among threat actors seeking to evade broad detection. By restricting payload downloads to users located within specific IP ranges, attackers prevent security analysts in other countries from retrieving malicious files. This approach complicates threat intelligence work and helps the group maintain a low profile.

Defensive Strategies and National Readiness

The expansion of the Bloody Wolf campaign underscores the urgent need for improved cybersecurity readiness in Central Asia. Organizations in Kyrgyzstan, Uzbekistan, and the surrounding region should consider several immediate actions to reduce the risk of compromise.

• Block JAR execution on endpoints unless required for specific business operations.
• Audit the deployment of legitimate remote administration tools like NetSupport to detect unauthorized installations.
• Deploy email security solutions that can detect spear-phishing, domain impersonation, and malicious attachments.
• Educate employees on the risks of opening unexpected PDF files and the widespread use of government impersonation in phishing.
• Monitor for unexpected scheduled tasks, registry changes, and startup folder modifications.

These defensive steps can reduce the success rate of social engineering attacks and limit the ability of Bloody Wolf to achieve persistence across victim systems.

Long-Term Implications of the Bloody Wolf Campaign

The continued evolution of the Bloody Wolf group reflects a broader shift toward covert, low-cost operations that rely on social engineering rather than technical sophistication. By expanding into Uzbekistan and refining its lures, the group is demonstrating the capability to maintain long-term operations across multiple countries. The use of legitimate administration tools allows the attackers to blend into normal network activity. This makes detection significantly more difficult for defenders who do not actively monitor for unauthorized remote administration usage.

The campaign highlights the growing importance of digital trust in government communications. As public institutions adopt more online services, attackers will increasingly exploit the familiarity of official documents to target citizens and employees. The Bloody Wolf campaign is an early example of how regional threat actors can cause widespread impact using simple tools, realistic lures, and a deep understanding of local communication habits.

For ongoing analysis of global intrusion campaigns, regional threat activity, and advanced cyber operations, explore the Botcrawl data breaches and cybersecurity sections.