The threat actor known as Bloody Wolf is said to be involved in a campaign targeting Uzbekistan and Russia, infecting systems with a remote access Trojan known as NetSupport RAT.
Cybersecurity vendor Kaspersky is tracking this activity under the name “Stan Goulds.” This threat actor is known to have been active since at least 2023 and has orchestrated spear-phishing attacks against manufacturing, financial, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.
The campaign is estimated to have caused around 50 victims in Uzbekistan, and 10 devices in Russia were also affected. Other infections, to a lesser extent, have been confirmed in Kazakhstan, Turkey, Serbia and Belarus. Infection attempts have also been recorded on devices within government agencies, logistics companies, medical facilities, and educational institutions.
“Given that Stangur targets financial institutions, we believe that their main motive is financial gain,” Kaspersky noted. “That said, their heavy use of RATs could also indicate cyber espionage.”
Exploitation of NetSupport, a legitimate remote administration tool, is a starting point for attackers who have previously used STRRAT (also known as Strigoi Master) in their attacks. In November 2025, Group-IB documented a phishing attack targeting organizations in Kyrgyzstan to distribute tools.
The attack chain is very simple: a phishing email loaded with a malicious PDF attachment is used as a launchpad to cause an infection. The PDF document has embedded links that, when clicked, lead to the download of a malicious loader that handles multiple tasks.
It displays a fake error message to give the impression that the application cannot run on the victim’s machine. Check if the number of previous RAT installation attempts is less than 3. If this number reaches or exceeds the limit, the loader throws an error message: “Attempt limit reached. Please try another computer.” Download and launch NetSupport RAT from one of several external domains. To ensure NetSupport RAT persistence, set up an autorun script in your startup folder, add the NetSupport startup script (‘run.bat’) to the autorun key in the registry, and create a scheduled task that triggers the execution of the same batch script.
Kaspersky said it also identified a Mirai botnet payload staged on infrastructure associated with Bloody Wolf, raising the possibility that the actor has expanded its malware arsenal to target IoT devices.
“More than 60 targets were hit, which is a surprisingly large number for a sophisticated and targeted campaign,” the company concluded. “This shows that these parties are willing to commit significant resources to their operations.”
This disclosure coincided with a number of cyber campaigns targeting Russian organizations, including one conducted by ExCobalt, which gained initial access to targeted networks by leveraging known security flaws and credentials stolen from contractors. Positive Technologies described the adversary as one of the “most dangerous groups” attacking Russian organizations.
This attack features the use of a variety of tools, along with an attempt to siphon Telegram credentials and message history, as well as Outlook Web Access credentials, from a compromised host by injecting malicious code into the login page.
CobInt, a known backdoor used by the group. Lockers such as Babuk and LockBit. PUMAKIT, along with previous iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023), is a kernel rootkit for escalating privileges, hiding files and directories, and hiding itself from system tools. Kitsune’s use was also associated with the threat cluster known as Sneaky Wolf (also known as Sneaking Leprachaun) by BI.ZONE. Octopus is a Rust-based toolkit used to escalate privileges on compromised Linux systems.
“The group has changed its initial access tactics, shifting its focus from exploiting one-day vulnerabilities in Internet-available corporate services (such as Microsoft Exchange) to infiltrating the infrastructure of its primary targets through contractors,” Positive Technologies said.
Russian state institutions, scientific companies, and IT organizations are also being targeted by a previously unknown attacker known as Punishing Owl, who steals and leaks data on the dark web. The group is suspected of being a politically motivated hacktivist organization, has been active since December 2025, and one of its social media accounts is controlled from Kazakhstan.
This attack utilizes a phishing email containing a password-protected ZIP archive. This archive contains Windows shortcuts (LNKs) disguised as PDF documents. When an LNK file is opened, a PowerShell command is executed that downloads a stealer named ZipWhisper from a remote server, collects sensitive data, and uploads it to the same server.
Another threat cluster that has its sights set on Russia and Belarus is Vortex Werewolf. The ultimate goal of the attack is to deploy Tor and OpenSSH to facilitate persistent remote access. The campaign was previously exposed by Cyble and Seqrite Labs in November 2025, with the latter calling the campaign Operation SkyCloak.
Source link
