A cybercrime group known as Bloody Wolf has launched a new wave of targeted attacks against organizations in Central Asia, focusing on Kyrgyzstan and Uzbekistan. Since June 2025, the group has been actively compromising financial institutions, government agencies and IT companies, turning a regional threat into a significant security concern for the wider Central Asian cyber ecosystem.
Targeted cyber attacks on financial, government and IT sectors in Central Asia
Bloody Wolf has been observed operating since at least late 2023. Earlier activity was recorded in Russia and Kazakhstan, where the group distributed the STRRAT malware family and NetSupport RAT through phishing emails. The current campaign shows a logical evolution: the tactics, techniques and procedures (TTPs) remain largely the same, but the geographic focus has shifted to Central Asian organizations.
This mirrors a broader industry trend. The Verizon Data Breach Investigations Report repeatedly highlights phishing as one of the leading initial access vectors in corporate breaches. Bloody Wolf leverages this same vector, combining believable government-themed lures with commodity remote access tools to gain a foothold in victim networks.
Phishing emails impersonating ministries of justice and fake PDF documents
In attacks against Kyrgyz organizations, the adversaries pose as the Ministry of Justice of the Kyrgyz Republic. They register domains that closely resemble legitimate government domains and send emails containing apparently official legal or court notifications in PDF format.
The PDFs themselves look authentic, but they typically contain a link to download a malicious file rather than the promised document. The accompanying message stresses urgency or mandatory review, exploiting social engineering to pressure employees into bypassing internal security procedures and opening untrusted content.
Infection chain using Java JAR files and fake Java Runtime requirements
The technical infection chain is straightforward yet effective. When a recipient clicks the link in the PDF, they are prompted to download a JAR file (a Java archive) along with instructions to install or update Java Runtime Environment (JRE) allegedly required to view the documents.
In reality, the JAR file functions as a malware loader. Once executed, it connects to a command-and-control (C2) server controlled by Bloody Wolf, downloads NetSupport RAT and deploys it on the system. Persistence is established via multiple mechanisms, including Windows Scheduled Tasks, registry run keys and BATCH files in the startup folder. This layered persistence approach makes removal more difficult and helps the malware survive superficial cleaning.
NetSupport RAT: legitimate remote support tool repurposed for cyber attacks
NetSupport Manager is a legitimate remote support product, but in this context it is weaponized as a Remote Access Trojan (RAT). Once installed, it provides attackers with full remote control over the compromised workstation, including the ability to exfiltrate documents, deploy additional malware, capture credentials and move laterally inside the network.
Researchers note that Bloody Wolf relies on an older build of NetSupport RAT dated October 2013 and JAR loaders compiled with an outdated Java 8 version from 2014. This suggests the presence of an internal builder or template system for generating loaders and underscores a key point: sophisticated zero-day exploits are not always required. Well-crafted social engineering combined with proven, older tools remains highly effective against underprepared organizations.
Geofencing and detection evasion in attacks on Uzbekistan
In campaigns targeting Uzbekistan, Bloody Wolf adds another layer of stealth using geofencing — filtering access based on the user’s geographic location. When a request to the malicious URL comes from outside Uzbekistan, the user is transparently redirected to the legitimate government portal data.egov.uz.
Only users connecting from within Uzbekistan receive the malicious response: the link inside the PDF triggers a download of the JAR loader. This selective delivery strategy hampers detection by international security researchers and automated sandbox systems, which often analyze suspicious URLs from IP addresses hosted in other countries.
Security impact and practical defense measures for Central Asian organizations
The Bloody Wolf campaign illustrates how commercial and outdated software can be turned into powerful attack tools when combined with targeted phishing and social engineering. For banks, ministries and IT providers in Central Asia, the risks include data theft, operational disruption and long-term compromise of internal systems.
Security teams in Kyrgyzstan, Uzbekistan and neighboring states can reduce exposure by implementing several practical measures:
- Strengthen email security gateways with robust phishing detection, URL rewriting and blocking of high-risk file types such as JAR and executable attachments.
- Restrict or disable Java Runtime on endpoints where it is not strictly required for business applications, and inventory where Java is still in use.
- Deploy EDR and advanced antimalware capable of detecting abnormal use of remote administration tools, including NetSupport, AnyDesk and similar software.
- Continuously monitor changes to scheduled tasks, startup folders and registry autorun keys, which are common persistence points for modern malware.
- Conduct regular security awareness training focused on recognizing government-themed phishing, urgent legal requests and document-viewing scams that demand software installation.
- Establish clear policies governing the use of remote support tools and centrally manage whitelists of approved software and domains.
As Bloody Wolf expands its operations across Central Asia, the region is increasingly treated by cybercriminals as a high-value target rather than a peripheral market. Organizations that combine basic cyber hygiene with layered defenses, careful control of legacy components such as Java and consistent staff training will be better positioned to detect, contain and recover from similar campaigns. Investing in these fundamentals today significantly lowers the financial, operational and reputational damage when — not if — the next wave of phishing-driven attacks arrives.
