Stan Ghouls, a cybercriminal group also known as Bloody Wolf, has launched a sophisticated wave of targeted attacks against organizations across Russia and Uzbekistan. <\/p>\n
Active since at least 2023, the group focuses heavily on the manufacturing, finance, and IT sectors. While they previously favored the STRRAT remote access trojan<\/a>, their recent campaigns demonstrate a tactical shift toward misusing legitimate software. <\/p>\n By deploying the NetSupport Manager, a valid remote administration tool<\/a>, they aim to blend in with authorized administrative activity, making detection significantly harder for defenders.<\/p>\n The attack chain invariably begins with highly targeted spear-phishing emails written in local languages like Uzbek. These communications masquerade as official government or legal notices to instill urgency. <\/p>\n Attached to these emails are malicious PDF files that contain links to the next stage of the attack. When victims click these links, they unknowingly initiate the download of a custom Java-based loader. <\/p>\n This loader acts as the bridge, fetching the final payload and establishing the attackers\u2019 foothold within the compromised network.<\/p>\n Following the initial discovery of these intrusions, Securelist analysts identified distinct patterns<\/a> in the group\u2019s infrastructure. <\/p>\n The researchers noted that Bloody Wolf<\/a> frequently refreshes its command-and-control domains, registering new ones for each specific campaign to evade blocklists. <\/p>\n This rapid rotation of infrastructure allows them to maintain a high rate of successful infections, with nearly sixty distinct victims identified in the latest wave alone.<\/p>\n The most distinct aspect of this campaign is the behavior of the malicious loader once executed. To distract the victim, the malware immediately displays a fabricated error window.<\/p>\n The message falsely claims the application cannot run on the current operating system, tricking the user into believing the file was simply broken. <\/p>\n In reality, the loader is silently checking the environment and downloading the NetSupport RAT<\/a> components from a remote server. <\/p>\n It even includes a check to terminate if it has failed to install three times, avoiding analysis by security sandboxes. <\/p>\n Once the files are in place, the malware aggressively establishes persistence using three redundant methods. <\/p>\n It drops a batch script named\u00a0 These mechanisms ensure the remote access tool executes automatically every time the user logs in. <\/p>\n To mitigate these threats, organizations must monitor for unauthorized remote desktop tools and scrutinize process executions from the Startup folder.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Bloody Wolf Hackers Attacking Organizations to Deploy NetSupport RAT and Gain Remote Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Spear-phishing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiYltO8qoa4BX89oEbzmOnSUQfAkqPGQhjmeSdPefa-_j8ZezvrURYBW2zl1dq1fYNkmUa-GXD_-g5tJqlc0731dzn93rh7JdH-62Oem_WivkQKzjiaM5rHdn36pyow33Mg1WYfre0q1Kk10U5T-ZAbAEdsFudpgJ4orEeonJWwi_L70WpAozXA8Wvwgwk\/s16000\/Spear-phishing%2520email%2520from%2520the%2520latest%2520campaign%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
The Infection Mechanism and Persistence<\/strong><\/h2>\n
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjl8GpBIe0ZzOv_KbEFmxC8ms18ANvJ8_nT_G3NMghItAcTwwypO5xkMmjq0qfSxBO_QiRzkpBcCEOX7zWKhwDU4XgtMUO2ONzC3kVj7DFxRL8qnTOX7nPKqq5oQ_w5w1ER6tIrLHJsdO2UfBx9p7Ksj6i6e1YkLIHZJvEXgOPftzY_0-sD5uRxVMFrFqQ\/s16000\/Fake%2520error%2520message%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
SoliqUZ_Run.bat<\/code>\u00a0into the Windows Startup folder, adds a launch command to the Registry\u2019s Run key, and creates a scheduled task. <\/p>\n