The Bloody Wolf hacking group, active since at least late 2023, has been conducting a cyber espionage campaign targeting Kyrgyzstan since June 2025 and expanding into Uzbekistan by October 2025. The group employs spear-phishing emails impersonating Kyrgyzstan's Ministry of Justice, distributing official-looking PDF documents containing embedded links to malicious Java Archive (JAR) loader files. Victims are socially engineered to install Java Runtime Environment under the pretense of viewing documents, which actually executes the loader. The loader, built using Java 8 technology and likely generated via a bespoke JAR template, downloads and installs an outdated version of NetSupport RAT from attacker-controlled infrastructure. Persistence is established through three mechanisms: creating scheduled Windows tasks, adding registry run keys, and placing batch scripts in the Windows startup folder. The Uzbekistan phase includes geofencing to restrict payload delivery to within the country, redirecting external requests to legitimate government websites to avoid detection. The campaign targets critical sectors such as finance, government, and IT, exploiting regional trust in official institutions and leveraging low-cost, commercially available tools to maintain a low operational profile. Despite the use of older malware versions, the campaign demonstrates effective regional targeting and operational security. No known public exploits or patches are available, and the campaign relies heavily on social engineering and user interaction for initial access.

For European organizations, the direct impact of this campaign is currently limited due to its regional focus on Central Asia. However, the tactics and tools used by Bloody Wolf highlight risks relevant to European entities, especially those with geopolitical or economic ties to Central Asia or those in sectors commonly targeted by espionage groups, such as finance and government. Should the group expand operations or share tooling, European organizations could face similar spear-phishing campaigns leveraging trusted institutions and Java-based loaders. The use of outdated RATs with persistence mechanisms could lead to unauthorized access, data exfiltration, espionage, and potential disruption of critical services. The campaign’s ability to evade detection through geofencing and social engineering underscores the importance of user awareness and network monitoring. Additionally, the targeting of government and IT sectors suggests potential risks to public sector infrastructure and critical information systems within Europe if similar campaigns emerge.

European organizations should implement targeted defenses against spear-phishing and Java-based malware loaders. Specific recommendations include: 1) Enforce strict email filtering and phishing detection, focusing on identifying spoofed government domains and suspicious PDF attachments with embedded links; 2) Restrict or monitor Java Runtime Environment installations, especially from unsolicited sources, and consider application whitelisting to prevent unauthorized JAR execution; 3) Deploy endpoint detection and response (EDR) solutions capable of detecting persistence mechanisms such as scheduled tasks, registry run keys, and startup folder scripts; 4) Conduct regular user training emphasizing the risks of installing software prompted by email attachments or links, particularly from unexpected government-related communications; 5) Implement network segmentation and monitor outbound traffic for connections to suspicious or unknown infrastructure; 6) Use geolocation-based network controls to detect anomalous access patterns similar to the geofencing techniques observed; 7) Maintain up-to-date threat intelligence feeds to identify emerging tactics from groups like Bloody Wolf; 8) For organizations with Central Asian ties, consider enhanced monitoring and incident response readiness for targeted attacks; 9) Employ multi-factor authentication and least privilege principles to limit attacker lateral movement post-compromise; 10) Regularly audit systems for legacy or outdated software that could be exploited or used as part of attack chains.