Bloody Wolf Hackers Impersonate Government Agencies to Deploy NetSupport RAT via Weaponized PDFs
A sophisticated cyber espionage campaign has been identified, orchestrated by the Advanced Persistent Threat (APT) group known as Bloody Wolf. Since late June 2025, this group has intensified its operations across Central Asia, specifically targeting government and private sector organizations in Kyrgyzstan and Uzbekistan. By meticulously impersonating state entities such as the Ministry of Justice, the attackers have successfully deceived victims into compromising their systems.
Spear-Phishing Tactics and Weaponized PDFs
The primary attack vector employed by Bloody Wolf involves spear-phishing emails that mimic official correspondence from government agencies. These emails contain weaponized PDF documents with titles suggesting urgent legal matters or case materials, compelling recipients to interact with embedded links. Once clicked, these links initiate a multi-stage infection process designed to bypass traditional security defenses and establish long-term access to the victim’s network.
Transition to NetSupport RAT
Security analysts at Group-IB have observed a strategic shift in Bloody Wolf’s tactics. The group has moved from using commercial malware like STRRAT to deploying the legitimate, yet weaponized, NetSupport Remote Administration Tool (RAT). This transition allows attackers to blend in with normal administrative traffic, making detection significantly more challenging for corporate security teams.
Regional Adaptation and Geo-Fencing Techniques
The campaigns demonstrate a high level of regional adaptation, including the use of local languages and geo-fencing techniques to restrict payload delivery to targets within specific countries. In the Uzbekistan campaign, for instance, the infrastructure employed geo-fencing, where only requests originating from within the country triggered the download of the malicious Java Archive (JAR) file, while others were redirected to legitimate government portals.
Infection Chain and Persistence Mechanisms
Bloody Wolf’s technical strategy relies on malicious JAR files to execute the payload. Victims interacting with the lure are prompted to update Java, a pretext masking the malicious loader’s execution. The JAR files, compiled with Java 8, are unobfuscated but highly effective.
Once executed, the JAR loader ensures persistence through redundant methods. The malware drops a batch file into the Windows Startup folder and modifies registry keys, executing commands like cmd.exe to ensure the RAT launches upon reboot. Additionally, it creates a scheduled task using schtasks to guarantee execution. This redundancy ensures that the NetSupport RAT remains active on the system, allowing the attackers to maintain a persistent foothold while displaying fake error messages to distract the user from the background malicious activity.
Implications and Recommendations
The impact of these campaigns is profound, granting attackers full remote control over infected endpoints. This access facilitates data exfiltration, system inventory surveillance, and lateral movement within critical infrastructure networks.
Organizations are advised to implement robust email filtering solutions to detect and block phishing attempts. Regular employee training on recognizing phishing emails and the dangers of interacting with unsolicited attachments is crucial. Additionally, maintaining up-to-date software and employing endpoint detection and response solutions can help mitigate the risk of such sophisticated attacks.
