Bloody Wolf demonstrates one of the most instructive principles in modern threat intelligence: you don’t need sophisticated malware to run a sophisticated operation. Active since late 2023 and tracked in a joint investigation between Group-IB and UKUK, this APT group has built a persistent and expanding foothold across Central Asia using commercially available or legitimate tools and a single, highly effective social engineering approach — impersonating government institutions to make victims open the door themselves.
The group’s early campaigns deployed STRRAT, a commercial remote access trojan. Recognizing that legitimate tools are significantly harder to detect than malware, Bloody Wolf pivoted to NetSupport Manager — a widely trusted remote administration tool used in certain corporate and government environments. By embedding malicious Java Archive (JAR) download links within PDF lures that convincingly replicate official Ministry of Justice communications, the group tricks victims into installing what appears to be a legitimate software requirement. What actually runs is a persistent remote access channel, invisible to most security controls.
In the Uzbekistan expansion phase (October 2025 onward), the group deployed geo-fenced delivery infrastructure: requests from outside Uzbekistan were redirected to a legitimate government website, while in-country requests triggered an automatic download of the malicious payload. The operational precision this reflects signals a group that is adapting, not improvising — and methodically expanding across Central Asia.
Key Numbers:
— 550+ confirmed victims across campaign phases
— 4 countries targeted in documented campaigns: Kazakhstan, Russia, Kyrgyzstan, Uzbekistan
— 3 confirmed affiliated subclusters
— Operational from December 2023 — still active at time of publication
— Lure documents produced in 4 languages: Kyrgyz, Uzbek, Russian, partly Kazakh
Central Asia (primary) — Kazakhstan, Uzbekistan, Kyrgyzstan. Russia (secondary).
Initial operations deploying STRRAT commercial malware against government, financial services, and IT sector targets. First documented Bloody Wolf activity.
Campaigns targeting Kazakhstan and Russia marked the first observed use of the legitimate NetSupport RAT by the threat actor. The activity was also notable for the use of Telegram bots to facilitate data exfiltration.
Spear-phishing impersonating the Ministry of Justice using official-looking PDF lures and government-spoofing domains, delivering NetSupport RAT via malicious JAR files. Joint investigation with UKUK.
Rapid geographic expansion using proven TTPs with geo-fenced delivery infrastructure — in-country victims receive malicious payloads; international traffic is redirected to a legitimate government website.
The attack chain is deceptively simple and highly effective. It begins with a convincing spear-phishing email, progresses through a malicious JAR file download links embedded in a PDF lure, and ends with a persistent remote access channel via NetSupport Manager — a tool so common in enterprise environments that it rarely triggers security alerts.
The group registers government-spoofing domains and crafts PDF lures that convincingly replicate official communications from Ministries of Justice and other government bodies. Lures are produced in local target languages (Kyrgyz, Uzbek, Russian), indicating either native-language operators or deliberate language capability investment. The PDF instructs the victim to install what appears to be a required software component.
Embedded links within the PDF lures lead to the download of malicious JAR files. A custom-built JAR generator — identified by Group-IB — produces multiple unique payload samples per distribution wave, reducing signature-based detection efficacy. Early campaigns used STRRAT; later campaigns pivoted to NetSupport Manager for persistence.
NetSupport Manager is a legitimate commercial remote administration platform. Once installed, it provides the operators with full persistent remote access that blends seamlessly with legitimate IT management traffic. The use of legitimate tools is a deliberate evasion choice — malware-focused detection rules and EDR signatures do not flag authorized commercial software.
In the Uzbekistan phase, delivery infrastructure was geo-fenced: international requests were redirected to a legitimate government website (appearing benign to security researchers and automated scanners), while in-country Uzbekistan requests received the malicious payload automatically. This limits exposure of malicious infrastructure to the target audience only.
What makes Bloody Wolf persistent is precisely what makes it difficult to catch. The group doesn't rely on bespoke malware — it relies on tools that are already trusted in the environments it targets. What we look for instead is context: who installed it, when, from what parent process, and whether the lure that preceded it looked like a Ministry communication in Kyrgyz or Uzbek. That combination — legitimate tooling, local-language social engineering, and geo-fenced delivery — is a deliberately low-signature operation.
unless explicitly required by business operations. Bloody Wolf's entire payload delivery relies on victims executing a JAR file.
Alert on unauthorized installations and flag sessions originating from unusual network locations or outside business hours.
Bloody Wolf's entire initial access chain begins with a convincing phishing email — this is the most critical control point.
urging PDF download or software installation, particularly in Central Asian government and financial sector organizations.
including documented network indicators and JAR file hashes published in Group-IB's November 2025 research.
Bloody Wolf is an APT group active since late 2023, remains under tracking by Group-IB, that targets government agencies and financial institutions across Central Asia through government impersonation spear-phishing campaigns. Despite using commercially available tools rather than custom malware, the group has compromised 550+ victims across Kazakhstan, Russia, Kyrgyzstan, and Uzbekistan. Its continued geographic cadence and operational adaptation make it a credible ongoing threat.
Legitimate remote administration tools like NetSupport Manager are present in enterprise and government environments as standard IT infrastructure. Malware-focused endpoint detection rules and EDR signatures do not flag authorized commercial software — making them significantly harder to detect than purpose-built trojans. Bloody Wolf’s pivot from STRRAT to NetSupport Manager reflects a deliberate operational security choice: blend in with the IT environment rather than trigger malware detection.
In the Uzbekistan campaign, Bloody Wolf deployed delivery infrastructure that inspects the source IP address of incoming requests. Requests from outside Uzbekistan are redirected to a legitimate government website — appearing benign to automated security scanners and international researchers. Requests from within Uzbekistan receive the malicious payload automatically. This limits exposure of the malicious infrastructure to the actual target audience only, reducing the window for security researchers to identify and take down the campaign infrastructure.
The group produces lure documents in Kyrgyz, Uzbek, and Russian — matching the official languages of its target countries. This level of localization indicates either native-language operators within the group, or a deliberate investment in language capability, and reflects an operational sophistication that goes well beyond simply reusing English-language lure templates.
The most critical control is blocking JAR file execution on user endpoints — Bloody Wolf’s entire payload delivery depends on victims executing a JAR file presented as a legitimate software requirement. Combined with Business Email Protection to detect spear-phishing and government domain impersonation, and employee awareness training around fake government communications, organizations can close the key entry points this group exploits.
State affiliation has not been confirmed. However, the group’s consistent targeting important sectors across multiple Central Asian countries, use of persistent remote access tools (rather than ransomware or destructive malware indicating financial motivation), and investment in target-language lure production are all consistent with state-directed or state-aligned espionage objectives rather than financially motivated cybercrime. Group-IB does not make attribution claims not supported by available evidence.
