The threat actor known as Bloody Wolf has been linked to a cyberattack campaign targeting Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT. By October 2025, the activity had expanded to include Uzbekistan, according to a report by Group IB researchers Amirbek Kurbanov and Volen Kayo, in collaboration with the Prosecutor General's office of the Kyrgyz Republic. The attacks focused on the finance, government, and information technology sectors.
Espionage Targeting Central Asia
Bloody Wolf, a hacking group of unknown origin active since late 2023, has historically used spear phishing to target entities in Kazakhstan and Russia. This campaign marks an expansion into Kyrgyzstan and Uzbekistan using similar initial access techniques.
The threat actors impersonated Kyrgyzstan's Ministry of Justice through official looking PDF documents and domain names. These hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT. Group IB stated this combination of social engineering and accessible tooling allows Bloody Wolf to remain effective while keeping a low operational profile.
Attack Chain and Persistence
The attack chains trick message recipients into clicking on links that download malicious JAR loader files along with instructions to install Java Runtime. The email falsely claims this installation is necessary to view the documents, but it actually executes the loader.
Once launched, the loader fetches the next stage payload, the NetSupport RAT, from attacker controlled infrastructure. It then establishes persistence in three ways:
- Creating a scheduled task.
- Adding a Windows Registry value.
- Dropping a batch script to the Startup folder.
The Uzbekistan phase of the campaign incorporated geofencing restrictions. Requests originating outside the country were redirected to a legitimate government website. However, requests from within Uzbekistan triggered the download of the malicious JAR file embedded within the PDF attachment.
The attackers utilize older tools; the JAR loaders are built with Java 8, and the NetSupport RAT payload is an old version of NetSupport Manager from October 2013. Group IB concluded that Bloody Wolf demonstrates how low cost, commercially available tools can be weaponized into sophisticated, regionally targeted cyber operations. By exploiting trust in government institutions and using simple JAR based loaders, the group maintains a strong foothold across the Central Asian threat landscape.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
