The hacking group known as Bloody Wolf has been actively targeting Central Asian entities, specifically launching a campaign against Kyrgyzstan that began in June 2025 before expanding its operations to include Uzbekistan by October 2025. This activity, which has been monitored by researchers, focuses on delivering the NetSupport Remote Access Trojan (RAT) to organizations within the finance, government, and information technology sectors. The group has been operational since at least late 2023, previously striking targets in Kazakhstan and Russia, and now appears to be escalating its regional focus, leveraging similar initial access techniques across the expanded threat landscape.
The core of the attack relies on effective social engineering, where the threat actors impersonate official government bodies, such as the Kyrgyz Republic’s Ministry of Justice. They use official-looking PDF documents and domain names to host malicious Java Archive (JAR) files. Recipients are tricked via spear-phishing emails into clicking weaponized links or opening attachments, ultimately leading them to download the malicious JAR loader. This combination of exploiting institutional trust and utilizing readily accessible tooling has allowed Bloody Wolf to maintain a highly effective but low operational profile throughout the campaign.
The technical execution of the attack chains follows a consistent, multi-stage approach. Users who click the malicious links are prompted to download the JAR loader files, along with deceptive instructions to install Java Runtime under the guise that it is necessary to view the document. Once the loader is executed, it establishes communication with attacker-controlled infrastructure to fetch the final payload, which is the NetSupport RAT. Furthermore, the attackers ensure persistence on the compromised system by employing three methods: creating a scheduled task, adding a value to the Windows Registry, and dropping a batch script into the user’s Startup folder.
A notable feature of the campaign’s Uzbekistan phase is the incorporation of geofencing restrictions. This tactic ensures that requests originating from outside the country are benignly redirected to the legitimate data.egov[.]uz website. However, when requests are detected as originating from within Uzbekistan, the embedded link within the PDF attachment is triggered to deliver the malicious JAR file. Researchers have noted that the JAR loaders used by Bloody Wolf are built with an older version of Java 8 and are believed to be generated using a bespoke template, while the NetSupport RAT payload itself is an outdated version from October 2013.
The success of Bloody Wolf underscores a significant trend in contemporary cybercrime, demonstrating how low-cost and commercially available tools can be weaponized into sophisticated, yet regionally targeted, cyber operations. By effectively exploiting trust in government institutions and leveraging simple, template-based JAR loaders, the group has managed to establish and maintain a strong foothold across the Central Asian threat landscape. This pattern of activity highlights the enduring effectiveness of combining social engineering with easily accessible malicious utilities for widespread regional compromise.
Reference:
