A campaign aimed at Russia and Uzbekistan to infect systems with the remote access trojan NetSupport RAT has been connected to the threat actor Bloody Wolf This article explores owl targeted russian. . Under the alias Stan Ghouls, cybersecurity provider Kaspersky is monitoring the activity.

Since at least 2023, the threat actor has been known to be active, planning spear-phishing attacks against the IT, manufacturing, and finance sectors in Kazakhstan, Kyrgyzstan, Uzbekistan, and Russia. According to estimates, the campaign affected ten devices in Russia and claimed roughly fifty victims in Uzbekistan. To a lesser extent, additional infections have been found in Belarus, Serbia, Kazakhstan, and Turkey.

According to Positive Technologies, "the group changed the tactics of initial access, shifting the focus of attention from the exploitation of 1-day vulnerabilities in corporate services available from the internet (e.g., Microsoft Exchange) to the penetration of the infrastructure of the main target through contractors." A previously unidentified threat actor called Punishing Owl has also targeted Russian state institutions, scientific businesses, and IT organizations by stealing and leaking data on the dark web. The group, which has been active since December 2025 and has one of its social media accounts run from Kazakhstan, is thought to be a politically motivated hacktivist organization.

Phishing emails are used in the attacks, along with a password-protected ZIP file that, when opened, contains a Windows shortcut (LNK) that looks like a PDF document. When the LNK file is opened, a PowerShell command is run that downloads ZipWhisper, a stealer, from a distant server in order to gather private information and upload it to the same server.