Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Bloody Wolf / Stan Ghouls operation is actively running a spear-phishing campaign against Uzbekistan and Russia, and the activity matters because it is delivering NetSupport RAT into victim systems. The campaign has already affected about 50 victims in Uzbekistan and 10 devices in Russia, with infections also seen across Kyrgyzstan, Kazakhstan, Turkey, Serbia, and Belarus. It has targeted manufacturing, finance, IT, government, logistics, medical, and education organizations. The tradecraft relies on malicious PDF attachments that launch a loader and establish persistence.
Related Happenings
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
First: 05.05.2026 22:21
Last: 05.05.2026 22:21
Sources 1
About this happening:
A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware ActivityAbout this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
UnsolicitedBooker Central Asian telecom phishing campaign
Campaign
First: 24.02.2026 11:54
Last: 24.02.2026 11:54
Sources 1
About this happening:
The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UnsolicitedBooker Central Asian telecom phishing campaign
CampaignAbout this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
09.02.2026 12:58 1 articles · 3mo ago
Bloody Wolf and Stan Ghouls NetSupport RAT campaign disclosure
Initial DisclosureKaspersky tracks Bloody Wolf, also called Stan Ghouls, as a spear-phishing operator targeting Uzbekistan and Russia with NetSupport RAT, with activity active since at least 2023 and additional infections reported in Kyrgyzstan, Kazakhstan, Turkey, Serbia, and Belarus. The campaign has affected about 50 victims in Uzbekistan, 10 devices in Russia, and over 60 targets overall, and the delivery chain uses malicious PDF attachments, a loader that downloads NetSupport RAT from external domains, and persistence through the Startup folder, a Registry autorun entry, and a scheduled task. Kaspersky also identified Mirai botnet payloads staged on infrastructure associated with Bloody Wolf, suggesting possible expansion toward IoT targets.
Show sources
- Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign — thehackernews.com — 09.02.2026 12:58