Bloody Wolf’s Evolution: When Threat Actors Switch Their Favorite RATs
A sophisticated threat group pivots from STRRAT to NetSupport, expanding its reach across Central Asia and Russia
The threat landscape is constantly shifting, and threat actors adapt their tooling based on what works. Kaspersky’s latest research reveals that Bloody Wolf—a group active since at least 2023—has made a significant tactical shift: moving from the Java-based STRRAT to NetSupport RAT in a campaign that’s claimed over 60 victims across Uzbekistan, Russia, and neighboring countries.
The Core Insight
What makes this campaign noteworthy isn’t just the malware—it’s the scale and sophistication of the operation. With over 60 targets compromised, this represents “a remarkably high volume for a sophisticated targeted campaign,” according to Kaspersky. The attackers, tracked under the moniker “Stan Ghouls,” are demonstrating that they have significant resources to pour into their operations.
The switch to NetSupport RAT—a legitimate remote administration tool frequently abused by attackers—represents a calculated decision. Unlike STRRAT, NetSupport provides a more stable, feature-rich platform for remote access. It’s also more commonly used in enterprise environments, making its presence potentially less suspicious in network traffic.
Why This Matters
For Security Teams:
The infection chain is straightforward but effective: phishing emails → malicious PDF → loader executable → NetSupport RAT. The loader includes an interesting anti-analysis feature: it limits installation attempts to three per machine. If the limit is reached, the loader displays “Attempt limit reached. Try another computer.”
This suggests the operators are aware of sandbox environments and automated analysis systems that might trigger multiple installation attempts.
For Threat Intelligence:
The campaign targets manufacturing, finance, IT sectors, government organizations, logistics companies, medical facilities, and educational institutions. This broad targeting profile suggests either:
– Financial motivation as the primary driver
– A hybrid approach combining financial gain with cyber espionage
Kaspersky notes: “Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain. That said, their heavy use of RATs may also hint at cyber espionage.”
The Mirai Connection:
Perhaps most concerning is Kaspersky’s discovery of Mirai botnet payloads staged on Bloody Wolf’s infrastructure. This raises the possibility that the threat actor may have expanded beyond traditional enterprise targeting to include IoT devices—potentially building a botnet capability alongside their RAT operations.
Key Takeaways
Persistence is multi-layered: The loader establishes persistence through three mechanisms simultaneously: Startup folder scripts, Registry autorun keys, and scheduled tasks. Defense teams need to check all three vectors.
The threat landscape is interconnected: This disclosure coincides with increased activity from ExCobalt, Punishing Owl, and Vortex Werewolf—all targeting Russian and Central Asian organizations with varying TTPs.
Contractor access is the new perimeter: ExCobalt has shifted from exploiting 1-day vulnerabilities to penetrating targets through their contractors. Supply chain security isn’t optional anymore.
Attribution is complex: The Stan Ghouls/Bloody Wolf overlap demonstrates how threat actors operate under multiple monikers and constantly evolve their operations.
Looking Ahead
The convergence of multiple threat actors targeting the same geographic region with similar TTPs suggests this area has become a hotbed of cyber activity. Organizations in Central Asia and Russia should expect continued targeting and ensure their detection capabilities cover:
- Spear-phishing with PDF attachments
- NetSupport RAT communications
- Scheduled task creation for persistence
- IoT device compromise indicators
The evolution from STRRAT to NetSupport RAT shows Bloody Wolf is actively optimizing their toolkit. Security teams should track not just indicators of compromise, but the broader patterns of how threat actors adapt their approaches over time.
Based on analysis of Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT – The Hacker News