MalwareRansomwareUsed by 2 actors

STRRAT

STRRAT is a Java-based remote access trojan (RAT), also known as Strigoi Master, with observed versioning including "STRRAT 1.2." It is Windows-focused despite being Java-based. Reported delivery includes spam and phishing campaigns using malicious JAR attachments, as well as malicious Java-based downloaders. Public reporting also states STRRAT has been hosted or delivered via public services including AWS and GitHub, and has appeared in malspam campaigns using business-themed lures such as "Offers" and "Requests."

Documented behavior includes extraction and execution of VBScript stages via wscript.exe, use of PowerShell to decode and run additional content, writing the final payload as %APPDATA%\ntfsmgr.jar, and persistence via a Windows Run key named ntfsmgr. Other reporting associates STRRAT campaigns with scheduled task creation and registry-based persistence. The malware is obfuscated with Allatori, uses AES-encrypted strings and configuration, and downloads dependencies from a hardcoded URL including hxxp://jbfrost.live/strigoi/lib.zip. Configuration has been described as AES-encrypted with the password "strgoi."

Capabilities directly described in the source material include credential theft from Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird; keylogging with both immediate exfiltration and offline modes; remote command execution; PowerShell execution; file management; process listing; remote screen control; and reverse proxying. STRRAT can also download and install RDPWrap / Hidden RDP components to enable or abuse Remote Desktop on Windows, including retrieval of a component from hxxp://wshsoft.company/multrdp(.)jpg and use of an HRDPInst.exe installer. A ransomware-related module is present with commands rw-encrypt, rw-decrypt, and show-msg, but the described "encryption" only renames files by appending the .crimson extension rather than performing real cryptographic encryption.

STRRAT has been associated with multiple threat actors and campaigns in the provided content. Proofpoint links it to TA2541, a persistent cybercriminal actor targeting aviation, aerospace, transportation, manufacturing, and defense organizations since at least 2017, using phishing lures and cloud-hosted payload chains. STRRAT is also described as the historical malware of choice for Bloody Wolf / Stan Ghouls, which targeted entities in Kazakhstan, Russia, Kyrgyzstan, and Uzbekistan, including government, finance, manufacturing, and IT-related victims, before later shifting to NetSupport. Additional reporting notes infection attempts against German customers.

High-confidence indicators and artifacts mentioned in the content include the attachment name NEW ORDER.jar; dropped files bqhoonmpho.vbs, %APPDATA%\edeKbMYRtr.vbs, and %APPDATA%\ntfsmgr.jar; package name strpayload; dependency system-hook-3.5.jar; the Run key name ntfsmgr; the URL hxxp://jbfrost.live/strigoi/lib.zip; and the RDP-related URL hxxp://wshsoft.company/multrdp(.)jpg.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA2541

In recent campaigns, vjw0rm and STRRAT also leveraged task creation and adding entries to the registry.

via proofpointproofpoint.com

Bloody Wolf

Historically, the group’s weapon of choice was the remote access Trojan (RAT) STRRAT, also known as Strigoi Master.

via securelistsecurelist.com

MITRE ATT&CK

Techniques & procedures

25 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence1

TA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload.

T1566.001Spearphishing AttachmentEvidence4

“Stan Ghouls relies on phishing emails packed with malicious PDF attachments as their initial entry point… their primary – and currently only – delivery method is spear phishing… emails loaded with malicious PDF attachments.”

Execution

5 techniques

T1053.005Scheduled TaskEvidence1

TA2541 has also established persistence by creating scheduled tasks... In recent campaigns, vjw0rm and STRRAT also leveraged task creation... Scheduled Task: schtasks.exe /Create /TN "Updates\BQVIiVtepLtz" /XML C:\Users\[User]\AppData\Local\Temp\tmp7CF8.tmp

T1059.001PowerShellEvidence2

If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub. The threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.

T1059.003Windows Command ShellEvidence1

“remote-cmd Executes commands with cmd.exe... Every other file is executed with cmd.exe /c.”

T1059.005Visual BasicEvidence1

“...saves the script as bqhoonmpho.vbs [3] to the home directory of the user and executes it using wscript.exe.”

T1204User ExecutionEvidence1

"The top-ranking samples this week are SCRIPT files accounting for 36,11%. MSIL files follow... WIN32 executable files..."

Persistence

3 techniques

T1053.005Scheduled TaskEvidence1

T1112Modify RegistryEvidence1

“...download a Java Runtime Environment ... and add it to the registry... add a RUN key named ntfsmgr to the registry that will autorun the dropped Jar [4].”

T1547.001Registry Run Keys / Startup FolderEvidence2

TA2541 has also established persistence by creating scheduled tasks and adding entries in the registry... Registry: Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost Data: C:\Users[User]\AppData\Roaming\server\server.exe

Privilege Escalation

2 techniques

T1053.005Scheduled TaskEvidence1

T1547.001Registry Run Keys / Startup FolderEvidence2

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

“We see immediately that the Jar file is obfuscated by Allatori... strings in the Jar file are encrypted with AES.”

T1036MasqueradingEvidence1

“RDPWrap ... downloaded from hxxp://wshsoft.company/multrdp(.)jpg ... HRDPInst.exe ... Download URL ... multrdp(.)jpg”

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

“...download a Java Runtime Environment ... and add it to the registry... add a RUN key named ntfsmgr to the registry that will autorun the dropped Jar [4].”

Credential Access

2 techniques

T1056.001KeyloggingEvidence1

“...dependency... ‘global keyboard and mouse listener’... estimate that the malware may use it to log keystrokes... keylogger Logs keystrokes and sends them immediately.”

T1555Credentials from Password StoresEvidence1

“The RAT has a focus on stealing credentials of browsers and email clients... Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.”

Discovery

4 techniques

T1012Query RegistryEvidence1

“startup-list Uses WMI to compile a list of autorun entries”

T1057Process DiscoveryEvidence1

“processes Create a process listing”

T1082System Information DiscoveryEvidence1

“...builds a string with information about the infected system.”

T1083File and Directory DiscoveryEvidence1

“file-manager Provides commands to navigate, upload, download, delete and open files”

Lateral Movement

2 techniques

T1021Remote ServicesEvidence1

“remote-screen Remote control the infected computer”

T1021.001Remote Desktop ProtocolEvidence1

“STRRAT also allows installation of RDPWrap... enables Remote Desktop Host support on Windows... ‘Hidden RDP Installer’.”

Collection

1 technique

T1056.001KeyloggingEvidence1

“...dependency... ‘global keyboard and mouse listener’... estimate that the malware may use it to log keystrokes... keylogger Logs keystrokes and sends them immediately.”

Command and Control

4 techniques

T1071Application Layer ProtocolEvidence1

TA2541 uses Virtual Private Servers as part of their email sending infrastructure and frequently uses Dynamic DNS (DDNS) for C2 infrastructure.

T1090.001Internal ProxyEvidence1

“rev-proxy Reverse proxy”

T1105Ingress Tool TransferEvidence2

If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub.

T1568.002Domain Generation AlgorithmsEvidence1

“frequently refreshes its command-and-control domains, registering new ones for each specific campaign to evade blocklists.”

Impact

2 techniques

T1486Data Encrypted for ImpactEvidence1

“‘encryption’ only renames files by appending the .crimson extension... rw-encrypt ... rw-decrypt”

T1529System Shutdown/RebootEvidence1

“reboot Reboots the infected system; shutdown Shuts down the infected system”

INDICATORS OF COMPROMISE

IOCs tracked for this family

13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app4 years ago

hash.sha256●●●●●●●●●●●●View more in app4 years ago

domain●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

cyber security newsNews

Feb 10, 2026

Bloody Wolf Hackers Attacking Organizations to Deploy NetSupport RAT and Gain Remote Access

Remote access trojan previously used by the Stan Ghouls/Bloody Wolf group in targeted campaigns.

the hacker newsNews

Feb 9, 2026

Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign

Remote access trojan previously used by the actor prior to shifting to NetSupport RAT.

securelistNews

Feb 5, 2026

Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest | Securelist

Remote access trojan historically used by the Stan Ghouls/Bloody Wolf group to maintain control of infected systems.

securelistNews

Feb 5, 2026

Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest | Securelist

Remote access trojan historically used by the Stan Ghouls (Bloody Wolf) group for interactive control of victim systems.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching13

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping25

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.