Ethical Hacking News
A highly sophisticated threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan, Russia, and beyond. The group, also referred to as Stan Ghouls, has been responsible for at least 50 infections in Uzbekistan, with an additional 10 devices reported infected in Russia. The attack vectors employed by this threat actor are fairly straightforward: phishing emails loaded with malicious PDF attachments are used as a launchpad to trigger the infection. Infection attempts have also been recorded on devices within government organizations, logistics companies, medical facilities, and educational institutions.
Bloody Wolf, a highly sophisticated threat actor, has been tracking various sectors in Uzbekistan, Russia, and beyond. The group uses spear-phishing attacks, resulting in the compromise of at least 50 devices in Uzbekistan and 10 in Russia. Malicious PDF attachments are used as a launchpad to trigger infection, with links leading to a fake error message to evade detection. The NetSupport Remote Access Trojan (RAT) is used for persistence, configuring autorun scripts and scheduled tasks. Bloody Wolf's primary motive appears to be financial gain, targeting financial institutions. The threat actor may also engage in cyber espionage activities, using RATs for persistence. Mirai botnet payloads have raised the possibility of Bloody Wolf targeting IoT devices.
Threat Intelligence Analysts at Kaspersky have been tracking a highly sophisticated threat actor known as Bloody Wolf, who has been wreaking havoc on the cyber landscape of Uzbekistan, Russia, and beyond. The group, also referred to as Stan Ghouls, has been linked to a campaign targeting various sectors in these countries, including manufacturing, finance, IT, Kyrgyzstan, Kazakhstan, Turkey, Serbia, Belarus, and even government organizations, logistics companies, medical facilities, and educational institutions.
According to Kaspersky, the Bloody Wolf threat actor is known for its relentless spear-phishing attacks, which have resulted in the compromise of at least 50 devices in Uzbekistan, with an additional 10 infected devices reported in Russia. The attack vectors employed by this threat actor are fairly straightforward: phishing emails loaded with malicious PDF attachments are used as a launchpad to trigger the infection.
The PDF documents embed links that, when clicked, lead to the download of a malicious loader that handles multiple tasks, including display of a fake error message to give the impression to the victim that the application cannot run on their machine. The loader then checks if the number of previous RAT installation attempts is less than three. If the number has reached or exceeded the limit, the loader throws an error message: "Attempt limit reached. Try another computer." This is a clever tactic employed by the threat actor to evade detection.
Next, the malicious loader downloads the NetSupport Remote Access Trojan (RAT) from one of several external domains and launches it. The NetSupport RAT ensures persistence by configuring an autorun script in the Startup folder, adding a NetSupport launch script ("run.bat") to the Registry's autorun key, and creating a scheduled task to trigger the execution of the same batch script.
Kaspersky noted that the use of the NetSupport RAT is a departure from the threat actor's previous tactics, which involved leveraging STRRAT (aka Strigoi Master). The fact that Bloody Wolf has adopted this new tool suggests a level of adaptability and resourcefulness on their part.
The researchers believe that Bloody Wolf's primary motive is financial gain, given its targeting of financial institutions. However, the heavy use of RATs may also hint at cyber espionage activities.
Mirai botnet payloads staged on infrastructure associated with Bloody Wolf have raised the possibility that the threat actor may have expanded its malware arsenal to target IoT devices.
The disclosure coincides with a number of cyber campaigns targeting Russian organizations, including those conducted by ExCobalt, which has leveraged known security flaws and credentials stolen from contractors to obtain initial access to target networks. Positive Technologies described the adversary as one of the "most dangerous groups" attacking Russian entities.
This is not an isolated incident. State institutions, scientific enterprises, and IT organizations in Russia have also been targeted by a previously unknown threat actor known as Punishing Owl that has resorted to stealing and leaking data on the dark web. The group, suspected to be a politically motivated hacktivist entity, has been active since December 2025.
Another threat cluster that has trained its sights on Russia and Belarus is Vortex Werewolf. The end goal of the attacks is to deploy Tor and OpenSSH so as to facilitate persistent remote access. The campaign was previously exposed in November 2025 by Cyble and Seqrite Labs, with the latter calling the campaign Operation SkyCloak.
The threat landscape is constantly evolving, with new actors emerging, and existing ones adapting their tactics, techniques, and procedures (TTPs). This campaign highlights the importance of constant vigilance for cybersecurity professionals, as well as users who are increasingly becoming the first line of defense against these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Bloody-Wolf-A-Sophisticated-Threat-Actor-Targeting-Uzbekistan-Russia-and-Beyond-ehn.shtml
https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html
https://cybersecuritynews.com/bloody-wolf-hackers-mimic-as-government-agencies/
https://www.group-ib.com/blog/bloody-wolf/
https://securelist.com/stan-ghouls-in-uzbekistan/118738/
https://cybersecuritynews.com/librarian-ghouls-apt-group-actively-attacking-organizations/
https://cybersecuritynews.com/new-punishing-owl-hacker-group-targeting-networks/
https://cyberpress.org/punishing-owl-targets-russia/
https://gbhackers.com/vortex-werewolf/
Published: Mon Feb 9 05:34:37 2026 by llama3.2 3B Q4_K_M
