Bloody Wolf is a threat actor active since at least 2023, recently observed conducting spear-phishing campaigns targeting Uzbekistan and Russia, with collateral impacts in Kazakhstan, Turkey, Serbia, and Belarus. The primary malware used is NetSupport RAT, a legitimate remote administration tool abused to establish persistent remote access on compromised systems. Infection vectors involve spear-phishing emails containing malicious PDF attachments embedding links that download a multi-function loader. This loader enforces infection limits to avoid detection, displays fake error messages, downloads NetSupport RAT from external domains, and establishes persistence via autorun scripts, registry modifications, and scheduled tasks. The campaign targets diverse sectors including manufacturing, finance, IT, government, logistics, medical, and education, indicating broad strategic interest. Kaspersky’s tracking under the moniker Stan Ghouls highlights the actor’s focus on financial institutions, suggesting financial gain motives, but the heavy use of RATs also implies espionage objectives. Additionally, infrastructure linked to Bloody Wolf hosts Mirai botnet payloads, indicating potential IoT device exploitation. The group has shifted tactics from exploiting 1-day vulnerabilities to targeting contractors for initial access, reflecting increased operational sophistication. The campaign’s scale—over 60 victims—is notable for a targeted operation, underscoring significant resource investment. The threat actor’s activities coincide with other campaigns targeting Russian entities, involving credential theft, backdoors, rootkits, and ransomware, illustrating a complex threat landscape. The use of legitimate tools like NetSupport RAT complicates detection and response efforts.

European organizations, particularly those with economic or political ties to Central Asia and Russia, may face indirect or direct risks from this campaign. The use of NetSupport RAT enables attackers to exfiltrate sensitive data, conduct espionage, and maintain long-term access, threatening confidentiality and integrity. Persistence mechanisms and multi-stage infection increase the difficulty of detection and remediation, potentially impacting availability through system manipulation or secondary payload deployment. The targeting of sectors such as finance, manufacturing, IT, government, and healthcare aligns with critical infrastructure and economic interests in Europe, raising concerns about supply chain and contractor-related vulnerabilities. The presence of Mirai botnet payloads suggests potential future attacks on IoT devices within European networks, which could disrupt operations or be leveraged in broader botnet activities. The campaign’s spear-phishing vector exploits human factors, making organizations with less mature security awareness programs particularly vulnerable. The evolving tactics of targeting contractors may expose European companies indirectly involved in supply chains or partnerships with affected regions. Overall, the threat poses a significant risk to data confidentiality, operational integrity, and network availability within European contexts.

1. Implement advanced email security solutions capable of detecting and blocking spear-phishing emails, including sandboxing of PDF attachments and URL rewriting to prevent malicious link execution. 2. Conduct targeted security awareness training focusing on spear-phishing recognition, especially for employees in finance, manufacturing, IT, and contractor-facing roles. 3. Enforce strict application whitelisting and endpoint detection and response (EDR) solutions to identify and block unauthorized execution of NetSupport RAT and associated loaders. 4. Monitor for persistence mechanisms such as autorun scripts, registry autorun keys, and scheduled tasks related to NetSupport RAT and unusual batch script executions. 5. Conduct thorough security assessments and audits of contractors and third-party vendors to ensure they follow robust cybersecurity practices, reducing supply chain risks. 6. Deploy network segmentation to limit lateral movement in case of compromise and monitor outbound traffic for connections to known malicious domains associated with the campaign. 7. Regularly update and patch systems to reduce exposure to other vulnerabilities that could be exploited in conjunction with phishing attacks. 8. Utilize threat intelligence feeds to stay informed on indicators of compromise (IOCs) related to Bloody Wolf and NetSupport RAT campaigns. 9. Prepare incident response plans that include rapid containment and eradication procedures for RAT infections. 10. Investigate and secure IoT devices within the network to mitigate risks from Mirai botnet payloads potentially linked to the threat actor.