Bloody Wolf Central Asia spear-phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Bloody Wolf campaign is expanding across Central Asia, using spoofed Ministry of Justice PDFs and geofenced infrastructure to reach government users in Kyrgyzstan and Uzbekistan. Victims are being pushed to install Java so attackers can deliver NetSupport RAT for remote control. The shift from earlier tooling to legitimate remote-access software makes the operation harder to detect and easier to blend into normal IT activity. The continued spread since June 2025 suggests a persistent and adaptable phishing operation.
Related Happenings
Bloody Wolf Central Asia phishing campaign targeting Kyrgyzstan and Uzbekistan
Campaign
First: 27.11.2025 20:13
Last: 27.11.2025 20:13
Sources 1
About this happening:
The **Bloody Wolf** phishing campaign has expanded from **Kyrgyzstan** to **Uzbekistan**, widening risk to **finance, government, and IT** targets across Central Asia. The operati...
Bloody Wolf Central Asia phishing campaign targeting Kyrgyzstan and Uzbekistan
CampaignAbout this happening: The **Bloody Wolf** phishing campaign has expanded from **Kyrgyzstan** to **Uzbekistan**, widening risk to **finance, government, and IT** targets across Central Asia. The operati...
NetSupport RAT JAR loader activity targeting Kyrgyzstan and Uzbekistan
Malware Activity
First: 27.11.2025 20:13
Last: 27.11.2025 20:13
Sources 1
About this happening:
The **NetSupport RAT** activity used **malicious JAR loaders** to reach victims in **Kyrgyzstan** and **Uzbekistan**, extending a targeted phishing operation across **Central Asia...
NetSupport RAT JAR loader activity targeting Kyrgyzstan and Uzbekistan
Malware ActivityAbout this happening: The **NetSupport RAT** activity used **malicious JAR loaders** to reach victims in **Kyrgyzstan** and **Uzbekistan**, extending a targeted phishing operation across **Central Asia...
NetSupport RAT Java-based loader deployment
Malware Activity
First: 27.11.2025 18:00
Last: 27.11.2025 18:00
Sources 1
How related:
Once a victim opens the downloaded JAR file, the loader retrieves additional components and ultimately installs NetSupport RAT for remote control.
About this happening:
The **NetSupport RAT** delivery chain is installing remote-access malware on victim systems, enabling **remote control** after phishing and loader execution. The activity matters...
NetSupport RAT Java-based loader deployment
Malware ActivityHow related: Once a victim opens the downloaded JAR file, the loader retrieves additional components and ultimately installs NetSupport RAT for remote control.
About this happening: The **NetSupport RAT** delivery chain is installing remote-access malware on victim systems, enabling **remote control** after phishing and loader execution. The activity matters...
FoalShell and StallionRAT RAR-delivery activity
Malware Activity
First: 03.10.2025 13:30
Last: 03.10.2025 13:30
Sources 1
About this happening:
A phishing-delivered malware operation is spreading **FoalShell** and **StallionRAT**, enabling **remote command execution** and **data exfiltration** on compromised hosts. The ac...
FoalShell and StallionRAT RAR-delivery activity
Malware ActivityAbout this happening: A phishing-delivered malware operation is spreading **FoalShell** and **StallionRAT**, enabling **remote command execution** and **data exfiltration** on compromised hosts. The ac...
ShadowSilk Central Asia and APAC spear-phishing and exploit campaign
Campaign
First: 27.08.2025 16:47
Last: 27.08.2025 16:47
Sources 1
About this happening:
The **ShadowSilk** campaign is actively hitting **government entities across Central Asia and APAC**, and the current wave matters because it has already reached nearly **three do...
ShadowSilk Central Asia and APAC spear-phishing and exploit campaign
CampaignAbout this happening: The **ShadowSilk** campaign is actively hitting **government entities across Central Asia and APAC**, and the current wave matters because it has already reached nearly **three do...
Timeline
-
27.11.2025 18:00 2 articles · 6mo ago
Bloody Wolf Central Asia spear-phishing campaign
Initial DisclosureThe operation appears to have begun as a **Kyrgyzstan-focused** phishing effort by **late 2023** and was documented there by **June 2025**. Early lures relied on **spoofed government documents** and social engineering to get victims to run **Java**-based payloads.
Show sources
- Bloody Wolf Threat Actor Expands Activity Across Central Asia — www.infosecurity-magazine.com — 27.11.2025 18:00
- Bloody Wolf Threat Actor Expands Activity Across Central Asia — www.infosecurity-magazine.com — 27.11.2025 18:00