Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Bloody Wolf / Stan Ghouls operation is actively running a spear-phishing campaign against Uzbekistan and Russia, and the activity matters because it is delivering NetSupport RAT into victim systems. The campaign has already affected about 50 victims in Uzbekistan and 10 devices in Russia, with infections also seen across Kyrgyzstan, Kazakhstan, Turkey, Serbia, and Belarus. It has targeted manufacturing, finance, IT, government, logistics, medical, and education organizations. The tradecraft relies on malicious PDF attachments that launch a loader and establish persistence.
Related Happenings
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities
Campaign
H score25
First: 02.06.2026 12:05
Last: 02.06.2026 12:05
Sources 1
About this happening:
The **SideCopy**-linked **Operation XENOFISCAL** spear-phishing campaign is targeting **Afghanistan's Ministry of Finance** and related provincial finance offices with **Xeno RAT*...
SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities
CampaignAbout this happening: The **SideCopy**-linked **Operation XENOFISCAL** spear-phishing campaign is targeting **Afghanistan's Ministry of Finance** and related provincial finance offices with **Xeno RAT*...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
H score50
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
H score31
First: 05.05.2026 22:21
Last: 05.05.2026 22:21
Sources 1
About this happening:
A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware ActivityAbout this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
H score37
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
Timeline
-
09.02.2026 12:58 1 articles · 5mo ago
Bloody Wolf and Stan Ghouls NetSupport RAT campaign disclosure
Initial DisclosureKaspersky tracks Bloody Wolf, also called Stan Ghouls, as a spear-phishing operator targeting Uzbekistan and Russia with NetSupport RAT, with activity active since at least 2023 and additional infections reported in Kyrgyzstan, Kazakhstan, Turkey, Serbia, and Belarus. The campaign has affected about 50 victims in Uzbekistan, 10 devices in Russia, and over 60 targets overall, and the delivery chain uses malicious PDF attachments, a loader that downloads NetSupport RAT from external domains, and persistence through the Startup folder, a Registry autorun entry, and a scheduled task. Kaspersky also identified Mirai botnet payloads staged on infrastructure associated with Bloody Wolf, suggesting possible expansion toward IoT targets.
Show sources
- Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign — thehackernews.com — 09.02.2026 12:58