CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Bloody Wolf APT Expands Operations to Russia and Central Asia Using NetSupport RAT

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

The Bloody Wolf APT group, also tracked as Stan Ghouls, has expanded its operations to include Russia, targeting government entities, logistics companies, medical facilities, and educational institutions. The campaign has infected about 50 victims in Uzbekistan and 10 devices in Russia, with additional infections identified in Kazakhstan, Turkey, Serbia, and Belarus. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The campaign has targeted finance, government, and information technology (IT) sectors. The shift to legitimate remote-administration tools indicates an evolution in the group's tactics to evade detection and blend into normal IT activity. The group has also expanded its malware arsenal to target IoT devices, with Mirai botnet payloads staged on associated infrastructure.

Timeline

  1. 09.02.2026 12:58 1 articles · 23h ago

    Bloody Wolf Expands to Russia and Additional Countries

    The Bloody Wolf APT group, also tracked as Stan Ghouls, has expanded its operations to include Russia, targeting government entities, logistics companies, medical facilities, and educational institutions. The campaign has infected about 50 victims in Uzbekistan and 10 devices in Russia, with additional infections identified in Kazakhstan, Turkey, Serbia, and Belarus. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The campaign has targeted finance, government, and information technology (IT) sectors. The shift to legitimate remote-administration tools indicates an evolution in the group's tactics to evade detection and blend into normal IT activity. The group has also expanded its malware arsenal to target IoT devices, with Mirai botnet payloads staged on associated infrastructure.

    Show sources
    Open in new tab
  2. 27.11.2025 18:00 3 articles · 2mo ago

    Bloody Wolf APT Expands Operations in Central Asia Using NetSupport RAT

    The Bloody Wolf APT group has expanded its cyber campaign across Central Asia, targeting government entities in Kyrgyzstan and Uzbekistan. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The campaign has also targeted finance and IT sectors. The article provides new insights into the group's expanded operations, including targeting Russia and additional countries. It details the group's use of NetSupport RAT, sophisticated social engineering tactics, and the shift in tactics to penetrate target infrastructure through contractors. The campaign has infected about 50 victims in Uzbekistan and 10 devices in Russia, with additional infections identified in Kazakhstan, Turkey, Serbia, and Belarus. The group has also expanded its malware arsenal to target IoT devices, with Mirai botnet payloads staged on associated infrastructure. The primary motive is believed to be financial gain, with potential cyber espionage activities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Multi-Stage Phishing Campaign Targeting Russia with Amnesia RAT and Ransomware

A sophisticated multi-stage phishing campaign is targeting users in Russia, employing social engineering tactics to deliver ransomware and Amnesia RAT. The attack begins with business-themed documents that appear benign but contain malicious scripts and payloads distributed via GitHub and Dropbox. The campaign leverages multiple public cloud services to enhance resilience and uses defendnot to disable Microsoft Defender. The malware suppresses visibility, neutralizes endpoint protection, conducts reconnaissance, and deploys payloads capable of data theft, remote control, and financial fraud.

Open in new tab

Airstalk Malware Linked to Supply Chain Attack

A new malware called Airstalk has been identified in a suspected supply chain attack. The malware exploits the AirWatch API for mobile device management (MDM) to establish a covert command-and-control (C2) channel. It is distributed by a nation-state threat actor tracked as CL-STA-1009. Airstalk can capture screenshots, harvest browser data, and exfiltrate files. The malware is available in PowerShell and .NET variants, with the latter being more advanced. The attack may target the business process outsourcing (BPO) sector. Airstalk uses a multi-threaded C2 communication protocol and supports various actions, including taking screenshots, harvesting browser data, and uninstalling itself. The .NET variant targets additional browsers and includes more sophisticated features. The malware's distribution method and specific targets remain unknown, but the use of MDM-related APIs suggests a supply chain attack.

Open in new tab

NetSupport RAT Campaigns Exploit ClickFix Lures

Threat actors continue to use ClickFix-style social engineering lures to distribute loaders for NetSupport RAT. This RAT is a legitimate Remote Monitoring and Management (RMM) tool that is misused for unauthorized remote control of compromised machines. The campaign coincides with an increase in phishing efforts distributing fileless versions of Remcos RAT, another tool advertised as legitimate but frequently used in hacking campaigns. The NetSupport RAT campaign is notable for its use of deceptive tactics to gain initial access, leveraging the trust associated with legitimate software to evade detection. The ongoing distribution of these RATs highlights the persistent threat posed by social engineering and the misuse of legitimate tools for malicious purposes.

Open in new tab

Russian Threat Actors Target Ukrainian and Polish Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations and Poland's power sector using living-off-the-land (LotL) tactics and deploying data-wiping malware. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. In December 2025, Sandworm targeted Poland's power sector with a new wiper malware called DynoWiper, aiming to disrupt the energy infrastructure. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system managing renewable energy sources. The attack was unsuccessful in causing disruption, and Polish authorities attributed it to Russian services. The attack coincided with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. The cyber attack on the Polish power grid in December 2025 was attributed with medium confidence to a Russian state-sponsored hacking group known as ELECTRUM. The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy systems. ELECTRUM and KAMACITE share overlaps with the Sandworm cluster, with KAMACITE focusing on initial access and ELECTRUM conducting operations that bridge IT and OT environments. The attackers gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. The attack was opportunistic and rushed, with the hackers attempting to inflict as much damage as possible by wiping Windows-based devices and resetting configurations. The majority of the equipment targeted was related to grid safety and stability monitoring. The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totaling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30. Dragos attributes the attack with moderate confidence to a Russian threat actor it tracks as Electrum, which, although it overlaps with Sandworm (APT44), the researchers underline that it is a distinct activity cluster. Electrum targeted exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, and Windows-based machines at DER sites. Electrum successfully disabled communications equipment at multiple sites, resulting in a loss of remote monitoring and control, but power generation on the units continued without interruption. Certain OT/ICS devices were disabled, and their configurations were corrupted beyond recovery, while Windows systems at the sites were wiped. Even if the attacks had been successful in cutting the power, the relatively narrow targeting scope wouldn’t have been enough to cause a nationwide blackout in Poland. However, they could have caused significant destabilization of the system frequency. "Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse," the researchers say. CERT Polska revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) in Poland on December 29, 2025. The attacks were attributed to a threat cluster dubbed Static Tundra, which is linked to Russia's Federal Security Service's (FSB) Center 16 unit. The attacks had a purely destructive objective but did not affect the ongoing production of electricity or the heat supply to end users. The attackers gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper. In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating back to March 2025, enabling them to escalate privileges and move laterally across the network. The attackers' attempts to detonate the wiper malware were unsuccessful. The targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. At least four different versions of DynoWiper have been discovered to date. The wiper's functionality involves initializing a pseudorandom number generator (PRNG) called Mersenne Twister, enumerating files and corrupting them using the PRNG, and deleting files. The malware does not have a persistence mechanism, a way to communicate with a command-and-control (C2) server, or execute shell commands, and it does not attempt to hide the activity from security programs. The attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32-byte sequences to render them unrecoverable. The malware used in the incident involving renewable energy farms was executed directly on the HMI machine. In the CHP plant and the manufacturing sector company, the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller. The attacker used credentials obtained from the on-premises environment in attempts to gain access to cloud services, downloading selected data from services such as Exchange, Teams, and SharePoint. The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations.

Open in new tab

Rhadamanthys Stealer Adds Device Fingerprinting, PNG Steganography Payloads

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins. The Rhadamanthys infostealer operation has been disrupted, with numerous customers reporting that they no longer have access to their servers. Cybercriminals claim that law enforcement gained access to their web panels, requiring certificate-based logins instead of root passwords. The disruption is suspected to be related to Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Open in new tab