In early 2026, Kaspersky’s threat research team published an in-depth analysis of a sophisticated cybercriminal group known as Stan Ghouls (aka Bloody Wolf), which has been active since at least 2023 targeting organizations across Uzbekistan, Russia, Kyrgyzstan, and Kazakhstan. Their latest campaign—most notably targeting Uzbekistan—demonstrates a carefully constructed and evolving toolset centered around phishing, Java-based malicious loaders, and misuse of legitimate remote administration software.
The attack chain combines traditional social engineering with custom malware delivery and advanced persistence, allowing the group to maintain control of compromised systems over extended periods. The operational focus appears to be financially motivated, though the scale and tools suggest potential secondary espionage objectives.
Threat Group Background
Stan Ghouls (Bloody Wolf) is a cybercriminal threat actor observed conducting targeted attacks on select industries including:
- Industrial manufacturing
- Financial services
- Information technology (IT)
Since 2023, the group has consistently targeted organizations in Central Asia, tailoring its approach to local languages and environment. Their initial campaigns relied on the STRRAT remote access trojan (also known as Strigoi Master), but recent activity shows a shift in offensive tools.
Attack Vector and Delivery Mechanism
Spear-Phishing as Initial Access
The initial access vector in this campaign remains spear-phishing via malicious PDF attachments. Emails are crafted in the local language (e.g., Uzbek), increasing the likelihood of execution and reducing suspicion by targeted victims. These PDFs masquerade as official documents—such as legal notices—to encourage users to interact with embedded content that triggers the next stage of the attack.
Decoy Documents and Local Language Targeting
Notably, decoy PDFs served to victims are written in Uzbek, not in widely used international languages like English or Russian, reflecting deliberate localization of the attack to Uzbekistan. This localization allows Stan Ghouls to bypass language barriers and improve engagement rates with their bait.
Malware Components: Loaders and RAT Deployment
Java-Based Malware Loader
Once the malicious PDF is opened, it initiates a Java-based loader—a notable choice given that Java is no longer widely used in modern malware. This loader is hardcoded with a list of malicious domains and iterates through them to download additional payloads.
The loader’s responsibilities are:
- Displaying a fake error message to deceive victims.
- Checking if the payload has already been deployed (limiting redundant execution).
- Downloading the next malware stage (typically a remote access utility).
Misuse of Legitimate Tools: NetSupport RAT
Instead of deploying a typical backdoor or custom C2 implant, Stan Ghouls uses a legitimate remote administration tool—NetSupport—to maintain control once the payload is delivered. The loader retrieves a set of NetSupport components such as:
- client32.exe
- remcmdstub.exe
- Various DLLs (e.g., PCICHEK.DLL, HTCTL32.DLL)
- Configuration files
These components are installed and executed to give the attackers persistent remote control of the compromised machine. The persistence mechanisms include:
- Creating autorun batch scripts in the user’s Startup folder
- Modifying registry run keys
- Installing scheduled tasks to re-execute NetSupport at login
This technique blurs the line between legitimate administrative access and malicious exploitation.
Operational Infrastructure and Evolution
Infrastructure Rotation
Stan Ghouls continually refreshes its network infrastructure, registering new malicious domains for each campaign. Over 35 domains have been attributed to this group alone, illustrating a deliberate effort to evade detection and take down efforts by security teams and law enforcement.
Possible IoT Engagement
While investigating, researchers found Mirai-related binaries hosted on one of the malicious domains. Mirai is a well-known IoT malware family that propagates across insecure embedded devices such as routers and cameras. Though attribution to Stan Ghouls is not definitive, this may signal either infrastructure sharing with other actors or an expansion of tools to include IoT-focused threats.
Victimology
Approximately 50 victims in Uzbekistan were identified, with additional infections in Russia (~10), and opportunistic compromises in Kazakhstan, Turkey, Serbia, and Belarus. Targets included:
- Government and administrative entities
- Financial institutions
- Manufacturing and logistics firms
- IT service providers
- Educational and medical organizations
The high number of compromised entities demonstrates both strong targeting capability and extensive resources available to the group.
Attribution and Tactics
Attribution to the Stan Ghouls threat group is supported by several factors:
- Code similarities between loaders used previously
- Identical decoy document structures across campaigns
- Continued use of Java-based loader components
These recurrent signatures serve as reliable fingerprints, enabling consistent tracking despite ongoing infrastructure changes.
Defensive and Mitigation Considerations
Organizations operating in affected regions and industries should consider the following defensive strategies:
- Email Filtering and Anti-Phishing Controls
Enforce advanced email scanning for malicious attachments, especially localized spear-phishing. - User Awareness and Education
Train staff to identify social engineering cues, particularly localized legal or financial phishing lures. - Endpoint Detection and Response (EDR)
Deploy tools capable of detecting malicious persistence behaviors, unusual NetSupport use, and unauthorized batch or scheduled task creation. - Network Monitoring
Monitor outbound connections to domains with poor reputations or historical abuse. - IoT Security Posture
Even industrial IoT devices should be scoped into security monitoring, given potential Miari-linked artifacts on Stan Ghouls infrastructure.
Conclusion
The Stan Ghouls campaign represents an advanced use of both custom malware loaders and misused legitimate administration tools to conduct targeted intrusions. Their ability to localize lures, pivot infrastructure frequently, and maintain persistent remote access reflects significant operational investment. Security teams must stay ahead through layered defenses, behavioural monitoring, and up-to-date threat intelligence feeds.
