{"id":1071,"date":"2026-02-05T09:02:19","date_gmt":"2026-02-05T09:02:19","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/05\/stan-ghouls-targeting-russia-and-uzbekistan-with-netsupport-rat\/"},"modified":"2026-02-05T09:02:19","modified_gmt":"2026-02-05T09:02:19","slug":"stan-ghouls-targeting-russia-and-uzbekistan-with-netsupport-rat","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/05\/stan-ghouls-targeting-russia-and-uzbekistan-with-netsupport-rat\/","title":{"rendered":"Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

Stan Ghouls (also known as Bloody Wolf) is an cybercriminal group that has been launching targeted attacks against organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attackers primarily have their sights set on the manufacturing, finance, and IT sectors. Their campaigns are meticulously prepared and tailored to specific victims, featuring a signature toolkit of custom Java-based malware loaders and a sprawling infrastructure with resources dedicated to specific campaigns.<\/p>\n

We continuously track Stan Ghouls\u2019 activity, providing our clients with intel on their tactics, techniques, procedures, and latest campaigns. In this post, we share the results of our most recent deep dive into a campaign targeting Uzbekistan, where we identified roughly 50 victims. About 10\u00a0devices in Russia were also hit, with a handful of others scattered across Kazakhstan, Turkey, Serbia, and Belarus (though those last three were likely just collateral damage).<\/p>\n

During our investigation, we spotted shifts in the attackers\u2019 infrastructure \u2013 specifically, a batch of new domains. We also uncovered evidence suggesting that Stan Ghouls may have added IoT-focused malware to their arsenal.<\/p>\n

Technical details<\/h2>\n

Threat evolution<\/h3>\n

Stan Ghouls relies on phishing emails packed with malicious PDF attachments as their initial entry point. Historically, the group\u2019s weapon of choice<\/a> was the remote access Trojan (RAT) STRRAT<\/a>, also known as Strigoi Master. Last year, however, they switched strategies, opting to misuse legitimate software, NetSupport, to maintain control over infected machines.<\/p>\n

Given Stan Ghouls\u2019 targeting of financial institutions, we believe their primary motive is financial gain. That said, their heavy use of RATs may also hint at cyberespionage.<\/p>\n

Like any other organized cybercrime groups, Stan Ghouls frequently refreshes its infrastructure. To track their campaigns effectively, you have to continuously analyze their activity.<\/p>\n

Initial infection vector<\/h3>\n

As we\u2019ve mentioned, Stan Ghouls\u2019 primary \u2013 and currently only \u2013 delivery method is spear phishing. Specifically, they favor emails loaded with malicious PDF attachments. This has been backed up by research from several of our industry peers (1<\/a>, 2<\/a>, 3<\/a>). Interestingly, the attackers prefer to use local languages rather than opting for international mainstays like Russian or English. Below is an example of an email spotted in a previous campaign targeting users in Kyrgyzstan.<\/p>\n

\"Example<\/a><\/p>\n

Example of a phishing email from a previous Stan Ghouls campaign<\/p>\n<\/div>\n

The email is written in Kyrgyz and translates to: \u201cThe service has contacted you. Materials for review are attached. Sincerely\u201d.<\/p>\n

The attachment was a malicious PDF file titled \u201c\u041f\u043e\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435_\u0420\u0430\u0439\u043e\u043d\u043d\u044b\u0439_\u0441\u0443\u0434_\u041a\u0447\u0440\u043c_3566_28-01-25_OL4_scan.pdf\u201d (the title, written in Russian, posed it as an order of district court).<\/p>\n

During the most recent campaign, which primarily targeted victims in Uzbekistan, the attackers deployed spear-phishing emails written in Uzbek:<\/p>\n

\"Example<\/a><\/p>\n

Example of a spear-phishing email from the latest campaign<\/p>\n<\/div>\n

The email text can be translated as follows:<\/p>\n

[redacted] AKMALZHON IBROHIMOVICH\n\nYou will receive a court notice. Application for retrial. The case is under review by the district court. Judicial Service.\n\nMustaqillik Street, 147 Uraboshi Village, Quva District.<\/pre>\n
The attachment, named E-SUD_705306256_ljro_varaqasi.pdf (MD5: 7556e2f5a8f7d7531f28508f718cb83d), is a standard one-page decoy PDF:<\/p>\n
\"The<\/a><\/p>\n
The embedded decoy document<\/p>\n<\/div>\n
Notice that the attackers claim that the \u201ccase materials\u201d (which are actually the malicious loader) can only be opened using the Java Runtime Environment.<\/p>\n
They even helpfully provide a link for the victim to download and install it from the official website.<\/p>\n
The malicious loader<\/h3>\n
The decoy document contains identical text in both Russian and Uzbek, featuring two links that point to the malicious loader:<\/p>\n