"The attack chains more or less follow the same approach in that the message recipients are tricked into clicking on links that download malicious Java archive (JAR) loader files along with instructions to install Java Runtime. While the email claims the installation is necessary to view the documents, the reality is that it's used to execute the loader. Once launched, the loader then proceeds to fetch the next-stage payload (i.e., NetSupport RAT) from infrastructure that's under the attacker"
"Bloody Wolf is the name assigned to a hacking group of unknown provenance that has used spear-phishing attacks to target entities in Kazakhstan and Russia using tools like STRRAT and NetSupport. The group is assessed to be active since at least late 2023. The targeting of Kyrgyzstan and Uzbekistan using similar initial access techniques marks an expansion of the threat actor's operations in Central Asia, primarily impersonating trusted government ministries in phishing emails to distribute weaponized links or attachments."
Bloody Wolf targeted Kyrgyzstan since at least June 2025 and expanded to Uzbekistan by October 2025, focusing on finance, government, and IT sectors. Attackers impersonated trusted government ministries, particularly a Ministry of Justice identity, using official-looking PDF documents and domain names that hosted malicious Java Archive (JAR) files. Phishing emails directed recipients to download JAR loader files and install Java Runtime under the pretense of viewing documents. The loader executed and fetched the NetSupport remote access trojan as the next-stage payload. The group has used STRRAT and NetSupport previously and maintains a low operational profile through social engineering and accessible tooling.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]