Bloody Wolf Hackers Impersonate Government Agencies to Deploy NetSupport RAT in Central Asia

The “Bloody Wolf” group is expanding its targeted campaign across Central Asia, deploying NetSupport RAT and impersonating government agencies. According to Group-IB specialists, the attacks that began in Kyrgyzstan in the summer of 2025 spread to Uzbekistan by autumn, affecting financial institutions, state bodies, and IT companies.

Group-IB analysts Amirbek Kurbanov and Volen Kayo attribute this activity to Bloody Wolf — a little-studied hacking collective that, since late 2023, has been conducting targeted phishing campaigns against organizations in Kazakhstan and Russia. Previously, the group was known to use STRRAT and NetSupport; now its operational focus has shifted to other countries in the region.

The foundation of the new wave of attacks is the impersonation of ministries, primarily the Kyrgyz Ministry of Justice. The attackers register domains that closely resemble official addresses and distribute emails containing PDF attachments stylized as internal correspondence. Recipients are urged to follow a link and install a Java environment supposedly required to view the documents — but instead of gaining access, the victim downloads a Java archive that functions as a loader.

This JAR file, built on Java 8, is believed to be generated using a specially prepared builder or template. Once executed, it connects to the attackers’ infrastructure, downloads the next stage — a NetSupport RAT based on an outdated 2013 version of NetSupport Manager — and establishes persistence on the system. To maintain its foothold, it employs several mechanisms simultaneously: creating a task in the scheduler, modifying Windows registry keys, and placing a script in the user profile’s startup directory.

The phase of the campaign targeting Uzbekistan stands out through the use of geofiltering. Requests to malicious resources originating outside the country are redirected to the legitimate portal data.egov[.]uz, while those coming from Uzbek networks trigger the download of the malicious JAR file via a link concealed within the PDF. This technique complicates infrastructure analysis and reduces the likelihood of accidental detection.

Experts emphasize that Bloody Wolf builds its operations on a blend of simple social-engineering techniques and readily available commercial tools. By exploiting trust in government bodies, relying on outdated yet functional software, and keeping tooling costs minimal, the group maintains a low profile while steadily expanding its footprint across the cyber landscape of Central Asia.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy