Creation Center
  1. chief security officerHome
  2. intelligence gathering

Bloody Wolf Organizes Report on Cyberattacks Impersonating Central Asian Government Agencies

chief security officer intelligence gathering 4646 views

Group-IB researchers observed a threat actor named Bloody Wolf launching a cyberattack campaign against Kyrgyzstan targeting the delivery of the NetSupport RAT beginning in June 2025.By early October 2025, its attacks expanded to Uzbekistan. By masquerading as the Kyrgyz Ministry of Justice, the attackers utilized official-looking PDF documents and domains, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT. The attack uses social engineering and easy-to-access tools via phishing emails to trick recipients into clicking on a link to download a malicious JAR loader file and install the Java Runtime, which in turn executes the loader in order to obtain the NetSupport RAT and establish persistence. Geofencing restrictions were also added to the attack against Uzbekistan.

Summary

In the cyber threat posture of 2025, Central Asia is increasingly becoming the eye of the storm where geopolitics and cyber espionage intersect. Recently, the code-namedBloody WolfThe latest round of cyberattacks against Central Asian countries, such as Kyrgyzstan and Uzbekistan, has been launched by a threat organization based on highly deceptive methods. The organization is using a highly deceptivesocial engineeringmeans as an entry point, using Java-based loaders (JAR Loaders) to distribute the old remote management toolNetSupport RATThe company has successfully penetrated several government, financial and IT sectors.

I. On the eve of the cyberattack storm: Central Asian cyberthreat posture and the rise of the "Bloody Wolf"

1.1 Central Asia: The New Heights of Digital Gaming

In recent years, with the acceleration of digital transformation, Central Asian countries (especially Kazakhstan, Kyrgyzstan and Uzbekistan) have become increasingly strategic in geopolitics. This has been accompanied by a surge in cyberattack activity. Attackers are no longer limited to the traditional pure sabotage, but have shifted to more insidious long-term lurking, intelligence theft, and infiltration targeting critical infrastructures. Against this backdrop, the Bloody Wolf organization, as an emerging and active threat force, has attracted the attention of security agencies such as Group-IB.

1.2 "Bloody Wolf" portrait

Bloody Wolf is an unattributed but extremely active Central AsianhackerOrganization. Intelligence suggests that the organization has been active since at least late 2023, and that in its early days it primarily targeted entities in Kazakhstan and Russia, using commercial or open-source malware such as STRRAT and NetSupport as its usual tools.

Unlike the top APT organizations that have developed their own zero-day exploits, Bloody Wolf has demonstrated a "low-cost, high-efficiency" mode of operation. They specialize in combining publicly available tools (Commodity Malware) with well-conceived social engineering scripts to form a highly lethal attack chain. This strategy of "parasitizing" legitimate tools and off-the-shelf malware not only reduces the cost of the attack, but also increases the difficulty of security detection, as traffic characteristics are often confused with normal IT management behavior.

II. Beginning of the Hunt: Timeline and Targets of Attacks

2.1 Timeline of Expansion

According to a joint report by Group-IB and Ukuk, a state-owned enterprise under the Prosecutor General's Office of Kyrgyzstan, the current round of attacks has a clear temporal phase:

  • June 2025: Attacks were detected for the first time in Kyrgyzstan. Attackers began intensively dropping decoys in an attempt to establish a foothold in key sectors of Kyrgyzstan.

  • October 2025: The scope of the attacks has expanded significantly, with Uzbekistan becoming the new main victim. This implies either an expansion of the organization's capabilities or a reorientation of its strategic objectives by the gold masters/directors behind it.

2.2 Targeting: Finance, Government and IT

The target selection for this attack was very precise and focused on the following three areas:

  1. The government sector (Government): This is especially true of sensitive sectors such as justice and foreign affairs. Access to internal government documents, communication records is the primary goal of espionage.

  2. Finance: banks, payment systems and non-bank financial institutions. This may suggest that the attackers are motivated by potential financial gain in addition to intelligence theft, or are intent on financial destabilization.

  3. Information Technology (IT): IT service providers and software companies. This is a typical "supply chain attack" idea, in which the IT service provider is controlled to infiltrate its downstream customers through trusted channels.

III. Technical Deconstruction: A Panoramic Analysis of the Java-based Attack Chain

The Bloody Wolf organization's attack chain uses off-the-shelf tools, but they are put together in a very sophisticated way. The entire attack process can be divided into three core phases: initial access, execution and persistence, and command and control (C2).

3.1 Initial visit: social engineering in official garb

The starting point of the attack was carefully craftedspear phishing(Spear-Phishing) Mail.

  • Disguise your identity: The attackers posed as the Ministry of Justice (MoJ) or other trusted government agency in Kyrgyzstan. To add credibility, they used very formal-looking PDF documents as bait and used fake domain names (Typosquatting) in their emails that were highly similar to official domain names.

  • Psychological manipulation: The content of the email often creates a sense of urgency or authority, asking the recipient to review "important documents", "court subpoenas" or "compliance notices".

  • Technological traps: When a victim opens a PDF attachment or clicks on a link in an email, he or she does not see the contents of the file directly, but is instead directed to download a Java Archive File (JAR).

3.2 Implementation Phase: Deadly Java Entrapment

This is the most technical aspect of the attack - exploiting the popularity of the Java environment and users' inertia towards "software updates".

3.2.1 JAR Loader mechanism

The JAR file downloaded by the victim is actually a malicious loader. To trick the user into running the file, the attacker uses a classic set of words:

"In order to properly view this encrypted/protected document, you need to install or update the Java Runtime Environment."

This deception (Social Engineering Lure) is very effective because in corporate environments where it is the norm for files to fail to open due to software version issues, employees tend to follow the prompts without thinking.

Once the user double-clicks and runs this JAR file (provided that the Java environment is installed on the system, or the attacker induces it to be installed), the malicious Java bytecode starts executing in the Java Virtual Machine (JVM).

3.2.2 Java 8 and reuse of older technologies

Technical analysis shows that these JAR loaders were built based on Java 8 (released in March 2014). The use of such an old version of Java to build malware is not accidental, and the reasons may include:

  1. Maximize compatibility: Many organizations, especially government agencies, still rely on older Java applications for their internal systems, so Java 8 is widely available in the target environment.

  2. Evading modern detection: Some modern EDR (Endpoint Detection and Response) tools may be more sensitive to malicious behavioral signature libraries based on the latest Java versions, while there may be blind spots in the detection of older code.

  3. Templated generation: The researchers suspect that the attackers used a customized JAR generator (Builder) or template. This means they can quickly generate a large number of variants (Polymorphism) that bypass signature-based antivirus software by changing the hash value.

3.3 Core payload: NetSupport RAT

After a successful run, the JAR loader pulls the next stage of the load from the attacker-controlled infrastructure (C2 server) - theNetSupport RAT.

3.3.1 Weaponization of NetSupport Manager

NetSupport Manager is a legitimate and powerful commercial remote management tool widely used for enterprise IT support. However, due to its overpowered features (including screen monitoring, file transfer, remote command execution, keylogging, etc.), it has long been abused by hacker organizations and has become a typical "Dual-Use" software.

3.3.2 Version archaeology: the ghosts of 2013

Surprisingly, the version of NetSupport RAT dropped in this attack dates back to October 2013. Why did the attackers fall in love with a 12-year-old software?

  • Stability: Older versions have stood the test of time, are stable and do not include mandatory license validation or cloud telemetry features like newer versions, which are easier to crack and de-name (Cracked/Nulled).

  • Freedom from killing: Many modern security programs trust NetSupport's digital signature by default, or treat it as a "potentially unwanted program" (PUP) rather than high-risk malware, giving attackers an opportunity to exploit it.

IV. Deep Persistence and Escape Techniques

To ensure continuous control of victimized hosts and to bring them back online even after a system reboot, Bloody Wolf deploys multiple persistence mechanisms.

4.1 Triple Persistence Strategy

Technical analysis identified three parallel means of persistence that ensured extremely high survival rates:

  1. Scheduled Task: Attackers use the Windowsschtaskscommand creates a scheduled task. The task is configured to automatically execute the malicious script at a specific time or when the system is idle. This approach is more stealthy because administrators rarely check the list of scheduled tasks on a daily basis.

  2. Registry Run Key: Classic means of persistence. An attacker whoHKCU\Software\Microsoft\Windows\CurrentVersion\Runor similar paths to add key values pointing to malicious JAR or batch files. As soon as the user logs on to Windows, the malicious program is launched with it.

  3. Startup Folder drop (Startup Folder): The simplest and crudest but effective method. An attacker releases a batch script (.bat) into the%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupdirectory. The role of this script is usually to silently start the NetSupport client and connect to C2.

4.2 Geofencing: a marker for precision strikes

During the attack phase against Uzbekistan, researchers observed a more sophisticated escape technique - geo-fencing.

4.2.1 Technical realization

The attacker's server is configured with IP filtering rules. When an HTTP/HTTPS request arrives at the malicious server, the server checks the geographic location of the request source IP:

  • From the territory of Uzbekistan: The server returns malicious JAR file download streams or execution instructions.

  • From outside of Uzbekistan (e.g., security researchers, sandbox environments, scanners): The server will immediately return an HTTP 302 redirect to redirect the request to the legitimate Uzbekistan eGovernment websitedata.egov.uz.

4.2.2 Strategic significance

This "geo-fencing" technology is of great tactical value:

  • Counter-analysis: Security analysts around the world (e.g., threat intelligence firms based in the U.S. or Europe) who visit a phishing link directly will only see legitimate government websites, and thus misjudge the link as secure.

  • Precision: Reduce the risk of exposure to international law enforcement agencies by ensuring that attack resources are expended only on real targets and avoiding "accidentally" harming users in other countries.

V. Challenges of cybersecurity defence in Central Asia from the Bloody Wolf organization

5.1 Vulnerability of the chain of trust

At the heart of the Bloody Wolf attacks is the exploitation of the unconditional trust of the public and civil servants in "government authority". When an email claims to come from the "Department of Justice" with "classified documents" attached, the victim's vigilance is often overridden by panic or obedience. This exploitation of human nature is a vulnerability that no firewall can completely block.

5.2 Illegal Misuse of Legitimate Instruments (Living off the Land)

The use of the NetSupport RAT reaffirms the popularity of the "Living off the Land" (LotL) attack strategy. Instead of struggling to write complex backdoors, attackers are using legitimate management tools. This poses a huge challenge for defenders: how to differentiate between legitimate NetSupport traffic and malicious C2 traffic without disrupting normal IT operations?

5.3 Long-term pain points in the Java environment

The "write once, run everywhere" nature of Java as a cross-platform language is also exploited by malware developers; JAR files are essentially compressed packages that can easily bypass many gateway filters based on file type (especially if they are disguised or obfuscated). In addition, the reliance on older Java versions within organizations makes it impractical to completely remove the Java runtime environment, leaving a permanent attack surface.

VI. Defense recommendations and mitigation measures

In the face of the Bloody Wolf organization and threats like it, businesses and government agencies need to build a defense-in-depth.

6.1 Technical level of defense

  1. Strictly limited Java runtime environment:

    • If the business does not rely on Java, it should be completely uninstalled.

    • If it must be used, an association rule should be configured to prohibit the.jarThe file is run directly by double-clicking (i.e., canceling the.jartogether withjava.exefile associations to open them with a text editor instead, or force only signed JARs to run via a policy).

    • controljava.exemaybejavaw.exeInitiated network connections, especially connections to non-utilized ports or offshore IPs.

  2. Network level blocking:

    • IOC Blocking: Timely updates to the threat intelligence database and blocking of known C2 domains and IPs of the Bloody Wolf organization.

    • Protocol Analysis: Enable detection of NetSupport protocol features on the firewall or IDS. Legitimate NetSupport traffic usually has a fixed port or handshake signature, and anomalous traffic should be blocked.

    • Geographic blocking: For government agencies that operate only in specific countries, consider restricting access to unrelated country IPs, but this will not defend against targeted attacks against the country.

  3. Endpoint protection (EDR) optimization:

    • Monitor registry startup items (Run keys) and startup folder write operations.

    • Behavioral interception of abnormal subprocesses generated by Powershell, CMD, and WScript (e.g., calls to Java).

    • Flag and quarantine older versions of remote management tools (e.g., 2013 version of NetSupport).

6.2 Process and people management

  1. Security awareness training:

    • Targeted phishing exercises are regularly conducted to simulate scenarios where authorities such as the Ministry of Justice and the Tax Administration are impersonated.

    • Educate employees:Never.Install any software or updates because of an email prompt, software updates should be distributed uniformly through the IT department.

  2. The principle of least privilege:

    • Regular employee accounts should not have permission to install software. Even if they download a malicious JAR, if they do not have permission to modify the system-level registry or installation directory, the attacker's ability to persist will be greatly reduced.

VII. Conclusion

The Bloody Wolf organization's expansion operations in Central Asia are a microcosm of today's regional APT attacks. They don't need top-notch hacking skills; they can tear down defenses in a national-level confrontation with only a precise understanding of the target's psychology and an ingenious combination of obsolete techniques.

This case is a reminder that cybersecurity is not just a battle of codes, but also a game of psychology and cognition. For organizations in Central Asia and around the world, the focus of defense is not only on deploying expensive security equipment, but also on fixing the weakest link - the human being - and building the capacity to dynamically monitor the "illegal use of legitimate tools". As the geopolitical situation fluctuates, similar "low-cost, high-yield" attacks will only intensify in the future.

Appendix: Threat Indicator (IOC) Reference

Note: The following are only feature types summarized from intelligence descriptions, please refer to the official Group-IB report for specific hashes and domain names.

  • Document type: .jar, .pdf (including malicious links). .bat

  • Malware family: NetSupport Manager (v2013), Java Loader

  • Persistence Path:

    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.bat

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • Network Characterization:

    • Redirect to data.egov.uz (for non-targeted IPs)

    • C2 communication uses NetSupport private protocols

 

Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/bloody-wolf-expands-java-based-deliver-netsupport-rat.html

Like (0)
0 0

About the author

chief security officer

chief security officer

112 posts
4 comments
1 questions
3 answers
4 followers
Chief Security Officer (cncso.com)
Previous November 2, 2025 at 11:31 pm
Next November 29, 2025 am10:44 am

related suggestion

Leave a Reply

Please Login to Comment