The hacker group known as Bloody Wolf has expanded its cyberattack operations across Central Asia, deploying Java-based NetSupport RAT campaigns targeting financial, governmental, and IT sectors in Kyrgyzstan and Uzbekistan.
According to Group-IB researchers, Bloody Wolf has been active in Kyrgyzstan since June 2025, and by October, the threat actor extended its attacks to Uzbekistan. The hackers impersonated the Kyrgyz Ministry of Justice using official-looking PDF documents and spoofed domains to trick victims into downloading malicious Java Archive (JAR) files designed to install NetSupport RAT.
The Uzbekistan phase featured geofenced distribution: users outside the country were redirected to the legitimate data.egov[.]uz site, while those within Uzbekistan unwittingly downloaded infected JAR files from links embedded in fake PDFs. Once executed, the loader retrieved a second-stage payload — a legacy NetSupport Manager version from 2013 — and ensured persistence through scheduled tasks, Windows registry modifications, and startup folder scripts.
Bloody Wolf is a relatively obscure but persistent threat actor active since at least late 2023. Previous attacks targeted Kazakhstan and Russia using tools like STRRAT and NetSupport. The group is known for combining social engineering, government impersonation, and inexpensive off-the-shelf tools to remain effective while avoiding detection.
Group-IB notes that the JAR loaders used in these attacks are built on Java 8 and likely generated via templates or custom JAR builders. Their tactics show how outdated yet accessible tools can still drive sophisticated regional cyber campaigns when paired with convincing social engineering.
The campaign reveals the growing exposure of Central Asia to sophisticated phishing and malware operations. Bloody Wolf’s approach — leveraging trust in government agencies and deploying old but functional remote-access tools — highlights that even low-cost techniques can lead to high-impact attacks. Organizations in the region must strengthen email filtering, scrutinize attachments, and restrict JAR execution to mitigate similar threats.
