Bloody Wolf Hackers Attacking Organizations to Deploy NetSupport RAT and Gain Remote Access

Stan Ghouls, a cybercriminal group also known as Bloody Wolf, has launched a sophisticated wave of targeted attacks against organizations across Russia and Uzbekistan.

Active since at least 2023, the group focuses heavily on the manufacturing, finance, and IT sectors. While they previously favored the STRRAT remote access trojan, their recent campaigns demonstrate a tactical shift toward misusing legitimate software.

By deploying the NetSupport Manager, a valid remote administration tool, they aim to blend in with authorized administrative activity, making detection significantly harder for defenders.

The attack chain invariably begins with highly targeted spear-phishing emails written in local languages like Uzbek. These communications masquerade as official government or legal notices to instill urgency.

Attached to these emails are malicious PDF files that contain links to the next stage of the attack. When victims click these links, they unknowingly initiate the download of a custom Java-based loader.

This loader acts as the bridge, fetching the final payload and establishing the attackers’ foothold within the compromised network.

Following the initial discovery of these intrusions, Securelist analysts identified distinct patterns in the group’s infrastructure.

The researchers noted that Bloody Wolf frequently refreshes its command-and-control domains, registering new ones for each specific campaign to evade blocklists.

This rapid rotation of infrastructure allows them to maintain a high rate of successful infections, with nearly sixty distinct victims identified in the latest wave alone.

The Infection Mechanism and Persistence

The most distinct aspect of this campaign is the behavior of the malicious loader once executed. To distract the victim, the malware immediately displays a fabricated error window.

The message falsely claims the application cannot run on the current operating system, tricking the user into believing the file was simply broken.

In reality, the loader is silently checking the environment and downloading the NetSupport RAT components from a remote server.

It even includes a check to terminate if it has failed to install three times, avoiding analysis by security sandboxes.

Once the files are in place, the malware aggressively establishes persistence using three redundant methods.

It drops a batch script named SoliqUZ_Run.bat into the Windows Startup folder, adds a launch command to the Registry’s Run key, and creates a scheduled task.

These mechanisms ensure the remote access tool executes automatically every time the user logs in.

To mitigate these threats, organizations must monitor for unauthorized remote desktop tools and scrutinize process executions from the Startup folder.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.