The hacking group known as Bloody Wolf has been tied to a cyber campaign that has targeted Kyrgyzstan since June 2025 and is now striking Uzbekistan. Group-IB researchers, working with the Kyrgyz Prosecutor General’s Office, said the attacks focus on finance, government and IT sectors.
The group impersonates Kyrgyzstan’s Ministry of Justice through official looking PDFs and spoofed domains that host malicious Java Archive files used to deploy the NetSupport remote access tool (RAT). Group-IB said this blend of social engineering and simple off-the-shelf tools helps the group stay effective while keeping a low profile.
Bloody Wolf has been active since at least late 2023 and has previously targeted Kazakhstan and Russia with spear-phishing campaigns using malware like STRRAT and NetSupport.
The methods used in Kyrgyzstan and Uzbekistan are similar. Victims are lured into clicking links that download a JAR loader alongside instructions to install Java Runtime. The loader then pulls the NetSupport RAT from attacker infrastructure and sets up persistence through scheduled tasks, registry changes and a startup script.
The Uzbekistan phase stands out for using geofencing. Users outside the country are redirected to a legitimate government website, while those inside Uzbekistan receive the malicious JAR file.
Group-IB said the attackers use Java 8-based loaders and an old 2013 version of NetSupport Manager, showing how inexpensive tools can be turned into targeted regional cyber operations.
