A widening cyber campaign using legitimate remote-access software to infiltrate government targets has been identified by cybersecurity researchers.

The operation, discovered by Group-IB and UKUK and carried out by the Bloody Wolf advanced persistent threat (APT) group, shows a shift from traditional malware to a streamlined Java-based delivery method that deploys the NetSupport remote administration tool (RAT).

The firms noted that, since it became active late in 2023, the Bloody Wolf group has continued to refine its techniques.

Activity Spreads Beyond Initial Targets

Advisories published this week report the discovery of a sustained campaign operated by Bloody Wolf in Kyrgyzstan since at least June 2025, before extending its reach to Uzbekistan by early October.

Analysts observed that the group continues to impersonate the country’s Ministry of Justice through convincing PDF documents, spoofed domains and instructions urging victims to install Java to view supposed case materials. Short messages embedded in the lures help the attackers preserve a sense of legitimacy.

Read more on remote administration tools: How Forgotten Remote Access Tools Are Putting Organizations at Risk 

The researchers attributed the findings to a joint investigation drawing on threat intelligence data and analysis of the threat group’s infrastructure.

They noted that the Uzbekistan infrastructure was configured with geofencing, redirecting anyone outside the country to a legitimate government site while serving malicious JAR downloads to local users.

How the Infection Chain Works

Once a victim opens the downloaded JAR file, the loader retrieves additional components and ultimately installs NetSupport RAT for remote control. The loaders, built using Java 8, contain a single class and no obfuscation. Although small, they automate several tasks:

  • Fetching NetSupport binaries over HTTP

  • Adding persistence via autorun entries

  • Creating scheduled tasks

  • Displaying fake error messages to distract users

These loaders also include a launch-limit counter set to 3, stored in the user profile directory, meaning the malware will run only a limited number of times before stopping to reduce the chance of drawing attention.

Analysts also said the group leverages a custom JAR generator to mass-produce samples with varying download paths, registry entries and error messages.

While the actors previously used STRRAT, they now rely on an older 2013 version of NetSupport Manager, likely sourced from publicly available licenses.

The report concludes that this mixture of social engineering and low-cost tools allows Bloody Wolf to maintain a steady operational tempo across Central Asia.

“This combination of social engineering and accessible tooling allows Bloody Wolf to remain effective while keeping a low operational profile. Its shift from traditional malware to legitimate remote-administration software indicates an ongoing evolution of tactics aimed at evading detection and blending into normal IT activity,” Group-IB wrote.

“Given the group’s adaptability and persistence, organizations in Central Asia should remain vigilant for expected continued spear-phishing activity and evolving infection chains in the near future.”



Source link