Bloody Wolf Group Uses Fake Government Emails and Malicious PDFs to Deploy NetSupport RAT

A new cybersecurity investigation has revealed that the advanced persistent threat (APT) group known as Bloody Wolf continues to target multiple Central Asian countries, using fake government documents to distribute remote access malware.

The group, first spotted in late 2023, has recently expanded its operations to Kyrgyzstan and Uzbekistan, relying on legitimate remote administration tools such as NetSupport Manager rather than traditional malware.

Expanding Operations Across Central Asia

According to joint research by Group-IB and the Kyrgyz Prosecutor General’s Office (UKUK), Bloody Wolf impersonated the country’s Ministry of Justice to trick victims into downloading infected files.

The attackers distributed PDF attachments in spear-phishing emails containing malicious links labeled “case materials.” Once opened, the victim was lured into downloading a Java Archive (JAR) file supposedly required to access official documents.

Running this JAR file begins the infection chain. The loader downloads components of the NetSupport remote administration tool (RAT) from attacker-controlled domains and installs them for persistent remote access.

During the Uzbekistan phase of the campaign, attackers configured their infrastructure to be geofenced only users in Uzbekistan received the malicious JARs.

At the same time, those outside the region were redirected to legitimate government websites such as data.egov.uz.

Bloody Wolf has crafted its lures in Russian and local Central Asian languages to appear authentic. The group continues imitating government agencies to boost trust and effectiveness, while its actual affiliation remains unclear.

Technical Analysis of Infection Chain

Investigations revealed that Bloody Wolf uses a custom JAR generator built with older Java 8 technology.

Each JAR contains a single Java class with predefined configuration variables, including hardcoded URLs and registry paths.

Once executed, the JAR downloads the NetSupport binaries, adds itself to the autostart list, and sets up a scheduled task to maintain persistence.

During installation, the loader displays a fake error message to distract the user, while the malware quietly deploys NetSupport in the background.

NetSupport Manager is legitimate remote administration software from NetSupport Ltd., used in education and enterprise environments. Bloody Wolf weaponizes an outdated 2013 version, likely modified with publicly available licenses.

The attackers use three methods simultaneously to auto-start the software: dropping a batch file into the Startup folder, adding a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and creating a scheduled task that launches the RAT executable upon login.

This campaign demonstrates how legitimate software can be misused for covert access and surveillance. Group-IB warns that such tactics blend easily into regular IT activity, allowing malicious operations to persist longer undetected.

Organizations in the region are advised to block the execution of JAR files, monitor NetSupport installations, and remain alert to phishing emails impersonating government institutions.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Bloody Wolf Group Uses Fake Government Emails and Malicious PDFs to Deploy NetSupport RAT appeared first on Cyber Security News.