Cyber security analysts from Group-IB and UKUK have identified a continuing and expanding cyber-espionage operation run by the threat actor known as Bloody Wolf. Active since at least late 2023, the group has steadily evolved its methods while extending its reach across Central Asia. Their activity demonstrates a shift toward low-cost, legitimate remote-administration tools delivered through carefully crafted social-engineering campaigns. 

Summary of Activity 

Bloody Wolf has been conducting attacks against organisations in Kyrgyzstan since at least June 2025, focusing on government, financial and information-technology sectors. By October 2025, the group expanded the same operations to Uzbekistan, using geofencing to ensure only local users received malicious files. Users outside the target region were redirected to legitimate government websites, helping maintain the appearance of authenticity. 

Prior operations attributed to the group involved spear-phishing campaigns in Kazakhstan and Russia, where Bloody Wolf deployed tools such as STRRAT and NetSupport. The latest incidents show a consistent pattern: impersonating trusted government ministries using convincing PDF documents, spoofed domains and concise messages that appear administrative and official. 

Tactics and Techniques 

The attackers rely heavily on Java-based delivery chains. Victims are prompted to install or update Java to view supposed legal or administrative documents. In reality, the embedded links or attachments deliver malicious Java Archive (JAR) loaders built with outdated Java 8. These loaders contain only a single class, lack obfuscation, and include mechanisms such as a three-run execution limit to avoid drawing attention. 

Once executed, the loader retrieves an older 2013 version of NetSupport Manager, repurposed as a remote-access Trojan. The loader then establishes persistence by creating scheduled tasks, adding entries to the Windows Registry, and depositing batch scripts in the user’s Startup folder. Fake error messages are displayed during this process to distract victims and create the impression that documents simply failed to load. 

Analysis suggests the group uses a custom JAR generator, enabling them to rapidly produce many loader variants with different paths, registry keys and error messages. This flexibility, combined with social engineering and the use of legitimate software, allows Bloody Wolf to operate quietly while avoiding traditional malware signatures. 

Assessment 

The campaign illustrates how inexpensive and widely available tools can be weaponized into sophisticated, regionally targeted cyber operations. By exploiting trust in government institutions and shifting from traditional malware to legitimate remote-administration software, Bloody Wolf has maintained a strong foothold across Central Asia. Organisations should expect continued spear-phishing and modifications to the infection chain as the group adapts. 

What to Do 

Organisations should reinforce internal communication to ensure employees understand that government-related PDF files delivered unexpectedly, especially those requiring Java installation, are highly suspicious. All staff should be reminded to verify such documents through official channels instead of interacting with emailed links or attachments. 

IT and security teams should closely monitor systems for unusual scheduled tasks, newly created autorun entries, or unexpected scripts placed in startup directories. Network administrators should review logs for irregular outbound HTTP connections and behavior associated with unauthorised remote-administration activity, including outdated versions of NetSupport. 

Endpoints should be hardened by limiting or disabling unnecessary Java installations and enforcing application controls that restrict JAR execution. Routine security updates and behavioral monitoring should be maintained to detect persistence mechanisms and malicious loader execution. 

Finally, any suspected contact with this campaign should be promptly reported to national cyber security authorities or internal response teams. Sharing indicators and observations with trusted partners will help strengthen regional defenses as the threat actor continues its operations. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.