Bloody Wolf Central Asia spear-phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Bloody Wolf campaign is expanding across Central Asia, using spoofed Ministry of Justice PDFs and geofenced infrastructure to reach government users in Kyrgyzstan and Uzbekistan. Victims are being pushed to install Java so attackers can deliver NetSupport RAT for remote control. The shift from earlier tooling to legitimate remote-access software makes the operation harder to detect and easier to blend into normal IT activity. The continued spread since June 2025 suggests a persistent and adaptable phishing operation.
Related Happenings
Y2K Operators Millenium RAT social-engineering distribution campaign
Campaign
H score73
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Y2K Operators Millenium RAT social-engineering distribution campaign
CampaignAbout this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Bloody Wolf Central Asia phishing campaign targeting Kyrgyzstan and Uzbekistan
Campaign
H score33
First: 27.11.2025 20:13
Last: 27.11.2025 20:13
Sources 1
About this happening:
The **Bloody Wolf** phishing campaign has expanded from **Kyrgyzstan** to **Uzbekistan**, widening risk to **finance, government, and IT** targets across Central Asia. The operati...
Bloody Wolf Central Asia phishing campaign targeting Kyrgyzstan and Uzbekistan
CampaignAbout this happening: The **Bloody Wolf** phishing campaign has expanded from **Kyrgyzstan** to **Uzbekistan**, widening risk to **finance, government, and IT** targets across Central Asia. The operati...
NetSupport RAT JAR loader activity targeting Kyrgyzstan and Uzbekistan
Malware Activity
H score22
First: 27.11.2025 20:13
Last: 27.11.2025 20:13
Sources 1
About this happening:
The **NetSupport RAT** activity used **malicious JAR loaders** to reach victims in **Kyrgyzstan** and **Uzbekistan**, extending a targeted phishing operation across **Central Asia...
NetSupport RAT JAR loader activity targeting Kyrgyzstan and Uzbekistan
Malware ActivityAbout this happening: The **NetSupport RAT** activity used **malicious JAR loaders** to reach victims in **Kyrgyzstan** and **Uzbekistan**, extending a targeted phishing operation across **Central Asia...
NetSupport RAT Java-based loader deployment
Malware Activity
H score22
First: 27.11.2025 18:00
Last: 27.11.2025 18:00
Sources 1
How related:
Once a victim opens the downloaded JAR file, the loader retrieves additional components and ultimately installs NetSupport RAT for remote control.
About this happening:
The **NetSupport RAT** delivery chain is installing remote-access malware on victim systems, enabling **remote control** after phishing and loader execution. The activity matters...
NetSupport RAT Java-based loader deployment
Malware ActivityHow related: Once a victim opens the downloaded JAR file, the loader retrieves additional components and ultimately installs NetSupport RAT for remote control.
About this happening: The **NetSupport RAT** delivery chain is installing remote-access malware on victim systems, enabling **remote control** after phishing and loader execution. The activity matters...
FoalShell and StallionRAT RAR-delivery activity
Malware Activity
H score32
First: 03.10.2025 13:30
Last: 03.10.2025 13:30
Sources 1
About this happening:
A phishing-delivered malware operation is spreading **FoalShell** and **StallionRAT**, enabling **remote command execution** and **data exfiltration** on compromised hosts. The ac...
FoalShell and StallionRAT RAR-delivery activity
Malware ActivityAbout this happening: A phishing-delivered malware operation is spreading **FoalShell** and **StallionRAT**, enabling **remote command execution** and **data exfiltration** on compromised hosts. The ac...
Timeline
-
27.11.2025 18:00 2 articles · 7mo ago
Bloody Wolf Central Asia spear-phishing campaign
Initial DisclosureThe operation appears to have begun as a **Kyrgyzstan-focused** phishing effort by **late 2023** and was documented there by **June 2025**. Early lures relied on **spoofed government documents** and social engineering to get victims to run **Java**-based payloads.
Show sources
- Bloody Wolf Threat Actor Expands Activity Across Central Asia — www.infosecurity-magazine.com — 27.11.2025 18:00
- Bloody Wolf Threat Actor Expands Activity Across Central Asia — www.infosecurity-magazine.com — 27.11.2025 18:00