A technical analysis by Kaspersky reported that the threat actor known as Bloody Wolf used spear-phishing in Uzbekistan and Russia to deliver the remote access tool NetSupport RAT, infecting about 50 victims in Uzbekistan and 10 devices in Russia.
KEY FACTS
- Incident Bloody Wolf campaign deployed NetSupport RAT via spear-phishing
- Scope About 50 victims in Uzbekistan and 10 devices in Russia
- Method Malicious PDFs with links to a downloader and loader
- Persistence Autorun scripts, Registry run.bat and a scheduled task
The actor has been active since at least 2023 and targeted manufacturing, finance and IT sectors across Russia, Kyrgyzstan, Kazakhstan and Uzbekistan. Smaller numbers of infections were also observed in Kazakhstan, Turkey, Serbia and Belarus.
Attack chains begin with spear-phishing emails carrying PDF attachments that embed links to a malicious loader. The loader displays a fake error message, enforces an installation attempt limit of three, downloads NetSupport RAT from multiple external domains and launches the payload.
Persistence is achieved by placing an autorun script in the Startup folder, adding a NetSupport launch script named “run.bat” to the Registry autorun key and creating a scheduled task to execute the same batch script. Infections were recorded on devices in government bodies, logistics firms, medical facilities and educational institutions.
The campaign previously used STRRAT and the actor also staged Mirai botnet payloads on associated infrastructure, which raises the possibility of expanded targeting to IoT devices. The campaign’s volume exceeded 60 targets in total.
WHY IT MATTERS
The scale and persistence techniques increase the risk of prolonged access to corporate and government networks and broaden the potential for device compromise if Mirai components are activated.