Security researchers say a hacking group labelled Bloody Wolf ran a spear-phishing campaign that targeted Kyrgyzstan from at least June 2025 and expanded to Uzbekistan by October 2025, seeking to deliver the NetSupport remote access tool. Group-IB researchers Amirbek Kurbanov and Volen Kayo published a report on the activity in collaboration with Ukuk, a state enterprise under the Kyrgyz Republic’s prosecutor general’s office, and Group-IB said the campaign focused on finance, government and information technology organisations.
The operation relied on social-engineering tactics that impersonated Kyrgyz government institutions. Recipients were targeted with official-looking PDF documents and domain names that hosted Java Archive (JAR) files acting as loaders, enabling the attackers to remain effective while maintaining a low operational profile, Group-IB researchers reported.
According to the report, messages tricked recipients into clicking links that downloaded malicious JAR loader files and included instructions to install the Java Runtime, purportedly needed to view the documents. When executed, the loaders fetched a NetSupport RAT payload from attacker-controlled infrastructure and established persistence by creating a scheduled task, adding a Windows Registry value and dropping a batch script into the Start Menu startup folder.
The phase of the campaign against targets in Uzbekistan incorporated geofencing controls: requests from outside Uzbekistan were redirected to the legitimate data.egov[.]uz site, while requests originating inside the country triggered a JAR download via an embedded link in the PDF attachment, the researchers found.
Group-IB reported the observed JAR loaders were built with Java 8 and said the attackers likely used a bespoke JAR generator or template. The NetSupport payload delivered in the campaign was an older NetSupport Manager build from October 2013, illustrating how commercially available tools can be repurposed for targeted regional operations, the firm added.
Bloody Wolf has previously targeted organisations in Kazakhstan and Russia with tools such as STRRAT and NetSupport and is assessed to have been active since at least late 2023.