Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Bloody Wolf Central Asia phishing campaign targeting Kyrgyzstan and Uzbekistan

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The Bloody Wolf phishing campaign has expanded from Kyrgyzstan to Uzbekistan, widening risk to finance, government, and IT targets across Central Asia. The operation uses official-looking PDFs, malicious domain names, and JAR loaders to deliver NetSupport RAT. It also adds persistence through a scheduled task, a Windows Registry value, and a startup batch script, making the intrusion chain harder to remove.

Related Happenings

NetSupport RAT JAR loader activity targeting Kyrgyzstan and Uzbekistan

Malware Activity
First: 27.11.2025 20:13 Last: 27.11.2025 20:13 Sources 1

How related: "Those threat actors would impersonate the [Kyrgyzstan's] Ministry of Justice through official looking PDF documents and domain names, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT," the Singapore-headquartered company said.

About this happening: The **NetSupport RAT** activity used **malicious JAR loaders** to reach victims in **Kyrgyzstan** and **Uzbekistan**, extending a targeted phishing operation across **Central Asia...

Open Happening

Bloody Wolf Central Asia spear-phishing campaign

Campaign
First: 27.11.2025 18:00 Last: 27.11.2025 18:00 Sources 1

About this happening: The **Bloody Wolf** campaign is **expanding across Central Asia**, using **spoofed Ministry of Justice PDFs** and **geofenced infrastructure** to reach government users in **Kyrgy...

Open Happening

FoalShell and StallionRAT RAR-delivery activity

Malware Activity
First: 03.10.2025 13:30 Last: 03.10.2025 13:30 Sources 1

About this happening: A phishing-delivered malware operation is spreading **FoalShell** and **StallionRAT**, enabling **remote command execution** and **data exfiltration** on compromised hosts. The ac...

Open Happening

ShadowSilk Central Asia and APAC spear-phishing and exploit campaign

Campaign
First: 27.08.2025 16:47 Last: 27.08.2025 16:47 Sources 1

About this happening: The **ShadowSilk** campaign is actively hitting **government entities across Central Asia and APAC**, and the current wave matters because it has already reached nearly **three do...

Open Happening

Timeline

  1. 27.11.2025 20:13 2 articles · 6mo ago

    Bloody Wolf Central Asia phishing campaign disclosed with June-to-October expansion

    Initial Disclosure

    Bloody Wolf ran a phishing campaign against Kyrgyzstan since at least June 2025 to deliver NetSupport RAT, impersonating the Kyrgyzstan Ministry of Justice with official-looking PDFs and domain names that hosted malicious JAR files. By October 2025, the activity had expanded to Uzbekistan and was targeting finance, government, and IT sectors; the Uzbekistan phase used geofencing to redirect requests from outside the country to data.egov[.]uz while in-country requests triggered the JAR download.

    Show sources
    Open in new tab