Bloody Wolf APT Expands to Central Asia, Deploys NetSupport RAT via Custom Java Droppers and Geo-Fencing

A shapeshifting advanced persistent threat (APT) group known as Bloody Wolf has expanded its hunting grounds. Following a trail of campaigns across Russia and Kazakhstan, Group-IB analysts have confirmed that this elusive adversary has now set its sights on Kyrgyzstan and Uzbekistan, employing a devious mix of social engineering and weaponized legitimate software to infiltrate networks.

Active since late 2023, Bloody Wolf has evolved from using commodity malware like STRRAT to a more stealthy approach: deploying the legitimate remote administration tool NetSupport RAT. By abusing a tool widely trusted by IT teams for legitimate support, the group effectively “blends into normal IT activity,” making detection a nightmare for defenders.

The attack chain is a masterclass in bureaucratic camouflage. Victims receive spear-phishing emails containing official-looking PDF attachments that impersonate the Ministry of Justice. These documents, crafted in local languages to increase credibility, urge the recipient to view embedded links labeled “case materials.”

Once a victim clicks, the trap is sprung. The infrastructure behind these attacks is sophisticated and geo-fenced. In the Uzbekistan campaign, requests originating from outside the country were harmlessly redirected to a legitimate government site (data.egov.uz). However, targets within the country triggered the download of a malicious Java Archive (JAR).

Bloody Wolf doesn’t rely on off-the-shelf loaders. Group-IB’s investigation revealed that the group uses a “custom-made JAR generator to create numerous samples for further distribution”.

These small, unobfuscated Java files (built with Java 8) perform a specific set of tasks while distracting the user with fake error messages. Behind the scenes, the loader downloads NetSupport Manager binaries from an attacker-controlled domain.

“Their only job is to download NetSupport Manager legitimate binaries over HTTP from an embedded URL, add the program to autostart, and schedule a task to run NetSupport binary.”

To ensure they maintain their foothold, the malware establishes persistence through three simultaneous methods: dropping a .bat file in the Startup folder, adding a Registry run key, and creating a scheduled task.

The use of NetSupport Manager—a legitimate tool used in education and corporate sectors—is a strategic choice. It provides the attackers with powerful capabilities like screen sharing, file transfer, and system inventory without raising the red flags that typical malware would.

“Its shift from traditional malware to legitimate remote-administration software indicates an ongoing evolution of tactics aimed at evading detection and blending into normal IT activity.”

As Bloody Wolf continues to adapt, organizations in Central Asia are urged to remain vigilant. The use of legitimate software for malicious ends means that simply scanning for “viruses” is not enough; security teams must monitor for unauthorized use of remote management tools.

Group-IB warns that “organizations in Central Asia should remain vigilant for expected continued spear-phishing activity and evolving infection chains in the near future.”

Related Posts:

• Bloody Wolf Cybercrime Group Evolves Tactics, Expands Targets
• Beyond Banks: Android Malware Is Getting Smarter to Bypass Google Play Protect
• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• NetSupport RAT Returns: Weaponized via WordPress & “ClickFix” for Remote Access
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns