A cybercriminal group known as Bloody Wolf, also identified as Stan Ghouls, is behind a recent spate of sophisticated cyberattacks targeting organizations in Russia and Uzbekistan. These attacks, active since at least 2023, primarily focus on the manufacturing, finance, and IT sectors. The group has shifted its tactics, moving from its previous preference for the STRRAT remote access trojan to now misusing legitimate software, specifically the NetSupport Manager, to gain unauthorized remote access.
The Bloody Wolf hackers aim to camouflage their malicious activities by deploying NetSupport Manager, a legitimate remote administration tool. This strategy allows their actions to blend in with authorized administrative tasks, making them significantly harder for cybersecurity defenses to detect. The attack chain consistently begins with highly targeted spear-phishing emails, crafted in local languages such as Uzbek, to deceive recipients. These communications are designed to appear as urgent official government or legal notices.
The Malicious Attack Chain and NetSupport RAT Deployment
Attached to these deceptive emails are malicious PDF files. These files contain embedded links that, when clicked by unsuspecting victims, initiate the download of a custom Java-based loader. This loader serves as the crucial intermediary, fetching the final payload and establishing the attackers’ presence within the compromised network. Securelist analysts, who identified these intrusions, have noted distinct patterns in the group’s infrastructure, highlighting their evasive tactics.
Researchers observed that Bloody Wolf frequently refreshes its command-and-control (C2) domains. They register new domains for each distinct campaign to evade detection and prevent their infrastructure from being added to blocklists. This rapid rotation of C2 infrastructure is a key factor enabling the group to maintain a high rate of successful infections. In the latest wave alone, nearly sixty distinct victims were identified.
The Infection Mechanism and Persistence Strategies
A particularly distinguishing feature of this campaign is the behavior of the malicious loader once it is executed. To divert the victim’s attention, the malware immediately presents a fabricated error window. This deceptive message falsely claims that the application cannot run on the current operating system, leading the user to believe the file is simply corrupted.
Concurrently, the loader silently verifies the environment and downloads the necessary NetSupport RAT components from a remote server. The malware also includes a safeguard to terminate itself if it fails to install properly on three occasions, a measure designed to circumvent analysis by security sandboxes. Once the NetSupport RAT files are in place, the malware aggressively establishes persistence within the compromised system, employing three redundant methods to ensure its continued operation.
The group drops a batch script, identified as SoliqUZ_Run.bat, into the Windows Startup folder. Additionally, it adds a launch command to the Registry’s Run key and creates a scheduled task. These multiple persistence mechanisms ensure that the remote access tool automatically executes every time the user logs into the system, providing the Bloody Wolf hackers with sustained access. Organizations seeking to mitigate these threats are advised to monitor for any unauthorized remote desktop tools and to scrutinize process executions originating from the Startup folder, as these are key indicators of potential compromise.
The ongoing activities of Bloody Wolf highlight the evolving tactics of cybercriminal groups, particularly their inclination to leverage legitimate tools for malicious purposes. The sophisticated nature of their spear-phishing campaigns and their infrastructure evasions present significant challenges for cybersecurity professionals. Future efforts will likely focus on improving detection capabilities for misused legitimate software and enhancing threat intelligence sharing to proactively identify and disrupt such campaigns.