Ddos A cybercriminal group with a taste for local languages and a toolkit of “legitimate” software has launched a fresh wave of attacks against organizations in Uzbekistan and Russia. A new report by Kaspersky Labs details the latest campaign by Stan Ghouls (also known as Bloody Wolf), a group that has targeted the region since 2023.
The attackers have moved away from custom trojans to a “living off the land” strategy, misusing the remote management tool NetSupport to control victim machines. This shift, combined with meticulously crafted phishing lures, has allowed them to compromise over 60 victims in this campaign alone.
Stan Ghouls’ success lies in their attention to detail. Instead of generic English or Russian spam, they craft spear-phishing emails in the local language of their target.
For this campaign, “the attackers deployed spear-phishing emails written in Uzbek,” complete with official-looking PDF attachments masquerading as court notices or government documents. One lure, titled E-SUD…ljro_varaqasi.pdf, posed as a notification from the “Judicial Service” about a case under review.
The decoy documents are convincing, featuring QR codes and official headers. But the devil is in the details: the document claims that the “case materials” can only be opened if the user installs a specific Java update.
“The attackers claim that the ‘case materials’ (which are actually the malicious loader) can only be opened using the Java Runtime Environment,” the report explains.
When the victim clicks the link to “view the materials,” they don’t get a document; they get a malicious JAR file. This reliance on Java is a signature move for the group. “Given that Java has fallen out of fashion with malicious loader authors in recent years, it serves as a distinct fingerprint for Stan Ghouls,” Kaspersky notes.
Once executed, the loader performs a few checks—fake error messages to distract the user, and a limit check to ensure it doesn’t run more than three times—before downloading the payload.
The payload isn’t a custom-built virus, but a legitimate remote administration tool called NetSupport. By installing this commercial software, the attackers gain full control over the victim’s machine while blending in with normal administrative traffic.
To ensure they stay in control, the malware establishes persistence in three different ways:
- Startup Folder: Dropping a SoliqUZ_Run.bat script into the Windows Startup directory.
- Registry Key: Adding an entry to the HKCU\…\Run key.
- Scheduled Task: Creating a task that triggers the RAT every time the user logs on.
Perhaps the most intriguing finding in the report is a potential expansion into Internet of Things (IoT) attacks. Researchers discovered that one of the domains used by Stan Ghouls was also hosting files associated with the Mirai botnet.
“One curious discovery was the presence of Mirai files on a domain linked to the group’s previous campaigns,” the report states. While it is too early to confirm if Stan Ghouls is directly wielding this botnet or simply sharing infrastructure, it suggests the group’s ambitions may be growing beyond just desktop computers.
Related Posts:
- Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware
- Librarian Ghouls APT: The Threat Actor Turning Legitimate Tools into a Cybercrime Toolkit
- Bloody Wolf Cybercrime Group Evolves Tactics, Expands Targets
- Bloody Wolf APT Expands to Central Asia, Deploys NetSupport RAT via Custom Java Droppers and Geo-Fencing
- Wonderland Unleashed: New Android “Dropper” Malware Hijacks Telegram to Drain Bank Accounts
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
