We analyze the recent Stan Ghouls campaign targeting organizations in Russia and Uzbekistan: Java-based loaders, the NetSupport RAT, and a potential interest in IoT.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky analyzes the Stan Ghouls (Bloody Wolf) cybercriminal group's recent campaign targeting organizations in Russia and Uzbekistan, primarily in manufacturing, finance, and IT sectors. The attackers use spear-phishing emails with malicious PDF attachments written in local languages (Uzbek, Russian) to deliver custom Java-based loaders that install the NetSupport RAT for remote control. The campaign infected approximately 50 victims in Uzbekistan and 10 in Russia. Researchers discovered new infrastructure domains and found Mirai IoT malware files on a server linked to previous campaigns, suggesting potential expansion into IoT-focused attacks. The group maintains sophisticated operations with frequent infrastructure updates while using consistent tactics including Java loaders and legitimate remote management tools.

Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest