Campaigns
Bloody Wolf NetSupport RAT Campaign

Bloody Wolf NetSupport RAT Campaign

Bloody WolfNetSupport RATStan GhoulsSpear-PhishingSTRRATStrigoi MasterMirai botnetExCobaltPunishing OwlVortex WerewolfZipWhisper
The Bloody Wolf threat actor is conducting a spear-phishing campaign targeting organizations in Uzbekistan and Russia. The campaign utilizes malicious PDF attachments in phishing emails to deliver the NetSupport RAT (Remote Access Trojan). This campaign has impacted various sectors, including manufacturing, finance, IT, government, logistics, medical facilities, and educational institutions. The threat actor's motives are believed to be primarily financial gain, with a potential secondary objective of cyber espionage.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Bloody WolfUA

Bloody Wolf is a pro-Ukrainian hacktivist group that emerged in early 2025. The group conducts disruptive cyberattacks against Russian government institutions, state-owned enterprises, critical infrastructure, and pro-Russian media outlets, often combining data breaches, leaks, website defacements, and DDoS attacks to support Ukraine in the ongoing conflict.

Stan Ghouls

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

MITRE ATT&CK Detection Strategy Table

Detection Strategy Name

ID

Analytic ID

Analytic Description

Scheduled Task (T1053.005)

DET0441

AN1101

Monitor for the use of schtasks.exe and at.exe. Detect tasks running under the SYSTEM context or triggered from unusual/non-standard user directories.

Scheduled Task (T1053.005)

DET0442

AN1102

Track modifications in the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache and new file creations in C:\Windows\System32\Tasks.

Scheduled Task (T1053.005)

DET0443

AN1103

Monitor RPC (Remote Procedure Call) traffic to detect remote scheduled task creation via the atsvc interface and analyze source/destination IP addresses.

Scheduled Task (T1053.005)

DET0444

AN1104

Audit security logs (Event IDs 4698, 4702) for task creation/modification events and correlate them with unauthorized privilege escalation attempts by non-admin users.

Screen Capture (T1113)

DET0445

AN1105

Monitor Windows API calls such as BitBlt, GetDC, and StretchBlt. Detect unsigned or untrusted processes calling screen capture functions with high frequency.

Screen Capture (T1113)

DET0446

AN1106

Audit command-line parameters and output files of built-in OS utilities (e.g., SnippingTool.exe, PSR.exe) when executed in suspicious or automated contexts.

Keylogging (T1056.001)

DET0447

AN1107

Monitor the SetWindowsHookEx API for keyboard hooking (WH_KEYBOARD) and the GetAsyncKeyState API for suspicious polling activity by background processes.

Keylogging (T1056.001)

DET0448

AN1108

Track device driver loading events (Event ID 7045) to detect the installation of low-level keyboard filter drivers or unauthorized kernel-level modules.

JavaScript (T1059.007)

DET0449

AN1109

Monitor .js file execution by wscript.exe or cscript.exe. Analyze command lines for -e (execute) flags or heavily obfuscated/encoded script content.

JavaScript (T1059.007)

DET0450

AN1110

Utilize Antimalware Scan Interface (AMSI) logs to capture and analyze malicious JavaScript code snippets executed in-memory that do not have a corresponding file on disk.

Malicious File (T1204.002)

DET0451

AN1111

Audit parent-child process relationships for files downloaded by browsers or email clients (identified by Zone.Identifier:3) at the moment of execution.

Malicious File (T1204.002)

DET0452

AN1112

Check digital signatures and hash values of executables (EXE, MSI, ISO) written to and executed from user profile directories like \AppData\Local\Temp.

Observed Countries7

BY (704)
KG (581)
KZ (227)
RS (515)
RU (296)
TR (264)
UZ (491)