Bloody Wolf
Bloody Wolf, also tracked by Kaspersky as Stan Ghouls, is a cybercriminal threat actor active since at least 2023. The group has conducted targeted spear-phishing campaigns against organizations in Russia, Uzbekistan, Kyrgyzstan, and Kazakhstan, with additional lower-volume or collateral infections reported in Turkey, Serbia, and Belarus. Reported targets include manufacturing, finance, and IT organizations, as well as government entities, logistics companies, medical facilities, educational institutions, and, in Central Asia, organizations in the government and financial services sectors. The actor is associated with campaigns delivering remote access malware, initially including STRRAT/Strigoi Master and more recently abusing the legitimate NetSupport Manager tool as NetSupport RAT. Reported infection chains use phishing emails, often written in local languages such as Uzbek or Kyrgyz and impersonating government, judicial, or legal entities. These emails carry malicious PDF attachments or links that lead to a custom Java-based loader/JAR. The loader displays fake error messages, checks execution conditions, may limit repeated installation attempts, downloads NetSupport components from attacker-controlled domains, and establishes persistence via Startup-folder batch scripts, Registry Run keys, and scheduled tasks. Kaspersky also reported frequent command-and-control domain rotation, while another report described geofencing in the Uzbekistan phase to restrict payload delivery to local users. Kaspersky-linked reporting estimated roughly 50 victims in Uzbekistan and about 10 in Russia in one campaign, with over 60 targets hit overall. The likely motive is assessed as financial gain, although some reporting notes that the heavy use of RATs could also be consistent with espionage. Infrastructure associated with Bloody Wolf has also been reported to host Mirai-related payloads, suggesting possible expansion toward IoT targeting or shared infrastructure, though this was not confirmed. Known aliases: Stan Ghouls.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
75 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Uses web services in its infrastructure, including storing C2 server addresses on Pastebin.
Impersonates government entities to socially engineer targets into downloading/using NetSupport Manager (abused as NetSupport RAT) for unauthorized remote access; associated with campaigns impacting Central Asia.
Targeting Russia and Uzbekistan; associated in this newsletter with use of NetSupport RAT.
Threat group reported targeting Russia and Uzbekistan using NetSupport RAT.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.