Bloody Wolf hackers, who use custom Java loaders to target the manufacturing, finance, and IT sectors, have launched spear-phishing attacks against companies in Uzbekistan and Russia using the NetSupport RAT This article explores links malicious jar. . Since 2023, Stan Ghouls has been active, targeting Kyrgyzstan, Kazakhstan, Uzbekistan, and Russia.

Infecting roughly 50 people in Uzbekistan, 10 in Russia, and possibly a few in Kazakhstan, Turkey, Serbia, and Belarus, their most recent campaign was centered on that country. Attackers send emails pretending to be court notices in regional languages, like Uzbek. A sample email with the PDF attachment E-SUD_705306256_ljro_varaqasi.pdf (MD5: 7556e2f5a8f7d7531f28508f718cb83d) alerts the recipient to a "court notice" and "retrial application." The PDF links to a malicious JAR file (MD5: 95db93454ec1d581311c832122d21b20) hosted on domains such as mysoliq-uz[.

]com or my-xb[. ]com after tricking users into installing the Java Runtime.

"This application cannot be run in your OS" is the fictitious error message displayed by this loader. It downloads 20 NetSupport RAT files, including client32.exe, PCICHEK.DLL, and client32.ini, from backup domains and restricts install attempts to less than three per machine. An illustration of a phishing email from a prior Stan Ghouls campaign (source: securelist) An illustration of a spear-phishing email from the most recent campaign (Source: securelist) After downloading, the loader generates run.bat to start the RAT, looks for client32.exe, and sets persistence in three different ways: a registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), a scheduled task (schtasks /TN malicious /TR run.bat /SC ONLOGON), and a Startup folder script (SoliqUZ_Run.bat).

This gives attackers complete remote control, which they can use for espionage or bank money theft.

They used STRRAT in the past, but now they misuse official NetSupport tools by frequently refreshing domains that have already been linked more than 35 times. Significant resources for manual control are indicated by the embedded decoy document's Victims, Links, and Defense Victims, which span over 60 industries, including manufacturing, finance, IT, government, logistics, health, and schools (Source: securelist). Kaspersky uses rare Java loaders, identical decoy PDFs, and matching Java code snippets to connect it to Bloody Wolf.

False error message (source: securelist) Securelist claims that Mirai IoT botnet files, including Morte.arm and Morte.x86, were first discovered in May 2025 on a previous domain (hgame33[.]com). It could indicate that Stan Ghouls has low confidence in shared servers or the Internet of Things. Protect yourself by scanning PDFs, preventing Java from accessing untrusted links, keeping an eye out for NetSupport files, autorun changes, and strange tasks.

Use EDR tools and update infrastructure detection. All stages are blocked by Kaspersky products. This well-funded organization emphasizes vigilance in local languages throughout the CIS regions while concentrating on phishing and continuously improving its tools.