Bloody Wolf Expands Java-Based NetSupport RAT Attacks Across Kyrgyzstan and Uzbekistan

The cyber-espionage group Bloody Wolf has expanded its operations across Central Asia. They first started targeting organisations in Kyrgyzstan in mid-2025. Later, the same activity was observed spreading into Uzbekistan. Their main targets include government, finance and IT sectors.

The attackers send spear-phishing emails that look like official government messages. These emails often pretend to come from ministries or legal authorities. Each message contains an official-looking PDF to gain the victim’s trust. Many people open it without suspecting any danger inside.

These PDFs contain hidden malicious links or instructions for the victim. The user is tricked into downloading a Java-based JAR file. Sometimes they are told to install or enable Java to “view” the document. Running this file unknowingly starts the full infection process.

Once opened, the JAR file acts as a loader for the main malware. It connects to servers controlled by Bloody Wolf to download NetSupport RAT. Although NetSupport is legitimate software, the attackers misuse it for spying. This gives them complete remote access to the victim’s system.

To remain active, the malware sets up different persistence techniques. It creates scheduled tasks to automatically restart itself. It also modifies registry entries so it loads during system startup. In some cases, batch files are placed in the Startup folder for continued access.

During the Uzbekistan phase, researchers observed a special evasion method. The attackers used geofencing to control who received the malicious file. People inside Uzbekistan were directly given the harmful download. Users outside the country were redirected to the real government website.

This campaign stands out because it uses old but effective tools. The JAR loaders were built for Java 8, and the RAT dates back to 2013. It proves outdated software can still be dangerous when abused. The attackers rely heavily on social engineering rather than complex malware.

These incidents show why strong digital awareness is essential today. People must be careful with unexpected government-themed PDFs or emails. Organisations should watch for unusual tasks, registry changes and startup scripts. Increased vigilance is crucial as attacks grow across the region.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news