
Bloody Wolf NetSupport RAT Campaign
Indicators of Compromise
No domains found for this campaign
APT Groups1
Bloody Wolf is a pro-Ukrainian hacktivist group that emerged in early 2025. The group conducts disruptive cyberattacks against Russian government institutions, state-owned enterprises, critical infrastructure, and pro-Russian media outlets, often combining data breaches, leaks, website defacements, and DDoS attacks to support Ukraine in the ongoing conflict.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
MITRE ATT&CK Detection Strategy Table
Detection Strategy Name | ID | Analytic ID | Analytic Description |
AN1101 | Monitor for the use of schtasks.exe and at.exe. Detect tasks running under the SYSTEM context or triggered from unusual/non-standard user directories. | ||
AN1102 | Track modifications in the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache and new file creations in C:\Windows\System32\Tasks. | ||
AN1103 | Monitor RPC (Remote Procedure Call) traffic to detect remote scheduled task creation via the atsvc interface and analyze source/destination IP addresses. | ||
AN1104 | Audit security logs (Event IDs 4698, 4702) for task creation/modification events and correlate them with unauthorized privilege escalation attempts by non-admin users. | ||
AN1105 | Monitor Windows API calls such as BitBlt, GetDC, and StretchBlt. Detect unsigned or untrusted processes calling screen capture functions with high frequency. | ||
AN1106 | Audit command-line parameters and output files of built-in OS utilities (e.g., SnippingTool.exe, PSR.exe) when executed in suspicious or automated contexts. | ||
AN1107 | Monitor the SetWindowsHookEx API for keyboard hooking (WH_KEYBOARD) and the GetAsyncKeyState API for suspicious polling activity by background processes. | ||
AN1108 | Track device driver loading events (Event ID 7045) to detect the installation of low-level keyboard filter drivers or unauthorized kernel-level modules. | ||
AN1109 | Monitor .js file execution by wscript.exe or cscript.exe. Analyze command lines for -e (execute) flags or heavily obfuscated/encoded script content. | ||
AN1110 | Utilize Antimalware Scan Interface (AMSI) logs to capture and analyze malicious JavaScript code snippets executed in-memory that do not have a corresponding file on disk. | ||
AN1111 | Audit parent-child process relationships for files downloaded by browsers or email clients (identified by Zone.Identifier:3) at the moment of execution. | ||
AN1112 | Check digital signatures and hash values of executables (EXE, MSI, ISO) written to and executed from user profile directories like \AppData\Local\Temp. |