Bloody Wolf evolution: new targets, new tools

Feb. 21, 2025, 10:29 a.m.

Description

Bloody Wolf, a notorious threat actor, has shifted its tactics by replacing malware with the legitimate remote administration tool NetSupport. The group has expanded its targets to include organizations in both Kazakhstan and Russia, compromising over 400 systems. Their attack method involves phishing emails with PDF attachments containing links to malicious JAR files. These files download and install NetSupport components, enabling full system access. The campaign exploits the prevalence of remote work and the increased use of remote administration software. The attackers' use of legitimate tools makes detection more challenging for conventional defenses. The report provides detailed technical information about the attack process and indicators of compromise.

External References

https://bi-zone.medium.com/bloody-wolf-evolution-new-targets-new-tools-8b6010e3a34d?source=rss-3882bedad280------2
https://otx.alienvault.com/pulse/67b786e28a1f56ac89dec990
Tags
phishing
russia
edr
netsupport
telegram
strrat
kazakhstan
2025-02-20
remote administration
jar files

Date

  • Created: Feb. 20, 2025, 7:47 p.m.
  • Published: Feb. 20, 2025, 7:47 p.m.
  • Modified: Feb. 21, 2025, 10:29 a.m.

Attack Patterns

  • STRRAT
  • Bloody Wolf
  • T1102.002
  • T1132.001
  • T1059.007
  • T1071.001
  • T1573
  • T1547
  • T1105
  • T1219
  • T1036
  • T1204
  • T1566

Additional Informations

  • Finance
  • Government
  • Kazakhstan
  • Russian Federation