A sophisticated wave of targeted attacks against organizations throughout Russia and Uzbekistan has been launched by the cybercriminal group Stan Ghouls, also known as Bloody Wolf This article explores targeted spear phishing. . The group has been active since at least 2023 and has a strong emphasis on the IT, finance, and manufacturing industries.

Their recent campaigns show a tactical shift toward abusing legitimate software, despite their prior preference for the STRRAT remote access trojan. They want to blend in with authorized administrative activity by using the legitimate remote administration tool NetSupport Manager, which will make it much more difficult for defenders to detect them. Highly targeted spear-phishing emails written in regional languages, such as Uzbek, are always the first step in the attack chain. To create a sense of urgency, these communications pose as official government or legal notices.

The most recent campaign's spear-phishing email (Source: Securelist) Malicious PDF files with links to the attack's next phase are attached to these emails. Victims unintentionally start the download of a customized Java-based loader when they click on these links. By retrieving the last payload and creating the attackers' foothold within the compromised network, this loader serves as the bridge.

After these intrusions were first discovered, Securelist analysts found clear trends in the group's infrastructure. In order to avoid blocklists, the researchers observed that Bloody Wolf regularly updates its command-and-control domains, registering new ones for every campaign. They are able to maintain a high rate of successful infections due to the quick rotation of their infrastructure; in the most recent wave alone, nearly sixty different victims were identified.

The Mechanism and Persistence of Infection The most notable feature of this campaign is how the malicious loader behaves after it is run. To distract the victim, the malware immediately displays a fabricated error window. False error message (Source: Securelist) The message falsely claims the application cannot run on the current operating system, tricking the user into believing the file was simply broken.

In reality, the loader is silently checking the environment and downloading the NetSupport RAT components from a remote server. It even includes a check to terminate if it has failed to install three times, avoiding analysis by security sandboxes. Once the files are in place, the malware aggressively establishes persistence using three redundant methods.

Learn more about our penetration testing offerings. Apps for secure messaging Solutions for network security Interface for application programming Features of a security author Cyber malware removal service Computer access control exploited data security solutions It adds a launch command to the Registry's Run key, creates a scheduled task, and drops a batch script called SoliqUZ_Run.bat into the Windows Startup folder. These safeguards guarantee that the remote access tool runs automatically each time a user logs in.

Organizations must keep an eye out for unauthorized remote desktop tools and closely examine process executions from the Startup folder. To receive more immediate updates, set ZeroOwl as a preferred source in Google.