NetSupport RAT

Group-IB researchers observed a threat actor named Bloody Wolf launching a cyberattack campaign against Kyrgyzstan targeting the delivery of the NetSupport RAT beginning in June 2025.By early October 2025, its attacks expanded to Uzbekistan. By masquerading as the Kyrgyz Ministry of Justice, the attackers utilized official-looking PDF documents and domains, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT. The attack uses social engineering and easy-to-access tools via phishing emails to trick recipients into clicking on a link to download a malicious JAR loader file and install the Java Runtime, which in turn executes the loader in order to obtain the NetSupport RAT and establish persistence. Geofencing restrictions were also added to the attack against Uzbekistan.