Bloody Wolf Campaign: Java-Based Deliveries of NetSupport RAT, A Growing Threat in Central Asia
- Syafiq S
- Dec 1, 2025
- 4 min read
Introduction / Background
Since at least late 2023, the threat actor known as Bloody Wolf has been active — initially observed targeting organisations in Kazakhstan and Russia using tools such as STRRAT and NetSupport RAT.
In mid-2025, researchers from Group-IB (in collaboration with local state enterprise UKUK) uncovered a renewed campaign: spear-phishing attacks against government, financial, and IT sectors, starting in Kyrgyzstan and — by October 2025 — expanding into Uzbekistan.
What stands out this time is a shift in tactics: instead of using complex bespoke malware, Bloody Wolf now delivers NetSupport RAT via simple Java-based loaders (JAR files) — an approach blending social engineering and legitimate remote-access software for stealth and persistence.
Attack Details / How It Works
Initial Access & Social Engineering
The campaign begins with spear-phishing emails impersonating a legitimate government body (for example, the Ministry of Justice). The emails include an official-looking PDF attachment or link.
The PDF contains instructions (in local language) to view “case materials,” prompting the recipient to install Java Runtime — under the pretext that it's needed to open the document properly.
Embedded in the PDF are links to a malicious Java Archive (JAR) loader. Clicking and executing the JAR kicks off the infection chain.
Loader Execution & Payload Delivery
The JAR loader, built with Java 8 (released March 2014), is minimally obfuscated, often generated using a custom JAR-generator or template to produce many similar samples.
Once executed, the loader contacts attacker-controlled infrastructure (HTTP GET) to download the payload — an older (2013) version of NetSupport RAT.
Persistence is established via multiple mechanisms: creating a scheduled task, adding a Windows registry “Run” key, and/or dropping a batch script in the user’s startup folder (e.g., %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup).
The loader may also display a fake error message to distract the user, reducing suspicion. Some variants include a launch-limit counter (e.g., only launch up to 3 times) to avoid detection.
Infrastructure & Evasion Details
In the Uzbekistan phase of the campaign, the infrastructure is geofenced: requests from IP addresses outside Uzbekistan are redirected to a legitimate government site (e.g., data.egov[.]uz), while those from within trigger the malicious JAR download. This helps evade broad threat-intel collection and limits accidental exposure.
Instead of custom malware, the attackers weaponize legitimate remote-administration software, which is harder for defenders to flag, especially when the RAT is old and widely available.
Impact
Persistent Remote Access & Espionage Capability: With NetSupport RAT installed, attackers can remotely control systems, enabling data theft, system compromise, surveillance, lateral movement, or further malware deployment. Given the target sectors (government, finance, IT), sensitive data and strategic assets are at risk.
Low-Detectability and Long-Term Presence: Because the delivered tool is legitimate remote-access software (albeit misused), traditional AV/endpoint tools may not detect it. Combined with persistence mechanisms and minimal loader footprint, this enables long-term stealth.
Region-Specific, Highly Targeted Attacks: The use of social engineering in local languages, geofenced infrastructure, and impersonation of trusted institutions increases chances of success. This undermines confidence in government communications and increases risk for public-sector organizations.
Lowering Barrier for Attackers: By using a simple JAR loader + publicly available RAT, rather than custom exploits, the cost and skill barrier for such campaigns drop significantly. This means smaller or less resourced threat actors could replicate similar attacks.
Recommendation
Based on the attack chain and mechanisms used, organisations (especially in sensitive sectors) should consider the following:
Block / Restrict JAR Execution: Unless strictly required, disable execution of Java Archive (JAR) binaries at endpoints; use application whitelisting or execution control policies.
Limit / Monitor Use of Remote-Administration Tools: Audit legitimate deployments of remote-access software (like NetSupport). Flag any unexpected installs or active sessions; maintain strict control over who can install or use RMM/RAT tools.
Deploy Advanced Email / Attachment Defenses: Use email security solutions capable of detecting spear-phishing attempts, malicious PDFs, embedded links, and domain impersonation especially fake government-looking domains.
User Awareness & Training: Regularly train staff/government employees to treat unsolicited PDF attachments or “official” messages with caution. Emphasize: never install or enable software (e.g., Java) just because a document asks you to.
Leverage Threat-Intelligence Feeds & Network Monitoring: Subscribe to threat-intel feeds; monitor for IoCs (see Appendix), suspicious C2 HTTP traffic, unusual startup entries or tasks, and unexpected network connections.
Implement Endpoint Detection & Response (EDR)/MDR: Especially those with heuristics for unusual behavior (unauthorised software installs, persistence mechanisms, remote-admin tool usage), even if the tool is legitimate.
Geo-fencing Awareness: Be especially cautious if working across borders, attackers may exploit regional trust and geofencing to evade detection.
Appendix: Observed IoCs & Technical Indicators
From public reporting by Group-IB and associated investigations, the following technical artifacts and behaviors have been observed:
Loader type: Java Archive (JAR), built with Java 8.
Persistence mechanisms: Scheduled Windows task; Registry “Run” key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run; Batch script in Startup folder.
Payload: Outdated NetSupport RAT (NetSupport Manager, version ~2013).
Delivery method: Spear-phishing email > PDF lure > embedded link pointing to JAR download.
Evasion tactics: Fake error message on loader execution; launch-limit counter in JAR loader (limiting number of executions to reduce detection).
Infrastructure behavior: Geo-fencing for payload servers (in at least the Uzbekistan phase), redirect external requests to legitimate governmental site.
Note: Full technical indicators (domains, file hashes, C2 URLs) are shared in Group-IB’s private TI portal. For public use, organisations should contact relevant CTI providers or monitor open-source threat-intel feeds for updated IoC sets.
Resources
Comments