Cybersecurity company Kaspersky identified around 50 victims in Uzbekistan linked to cybercriminal group Stan Ghouls, also known as Bloody Wolf. The group has carried out targeted attacks on organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023.
Kaspersky found about 10 affected devices in Russia, with several others in Kazakhstan, Turkey, Serbia, and Belarus. Researchers said the cases in Turkey, Serbia, and Belarus were likely collateral damage.
“These attackers primarily have their sights set on the manufacturing, finance, and IT sectors,” researchers said in a blog post.
Stan Ghouls uses spear-phishing emails containing malicious PDF attachments to gain access to target systems. The group previously relied on the remote access Trojan (RAT) STRRAT, also known as Strigoi Master, but shifted last year to abusing legitimate remote support software NetSupport to control compromised devices.
Researchers said the group prepares campaigns for specific targets using custom Java-based malware loaders and dedicated infrastructure for each campaign.
“During our investigation, we spotted shifts in the attackers’ infrastructure, specifically a batch of new domains. We also uncovered evidence suggesting that Stan Ghouls may have added IoT-focused malware to their arsenal,” Kaspersky said.
The researchers noted that the group regularly updates its infrastructure and registers new domains for each campaign. More than 35 domains linked to Stan Ghouls have already been identified.
“Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain,” researchers said. “That said, their heavy use of RATs may also hint at cyberespionage.”
Kaspersky said tracking the group requires continuous monitoring because of frequent infrastructure changes. Researchers added that Stan Ghouls currently uses spear phishing as its main distribution method and prefers to send malicious emails in local languages instead of using widely used languages such as Russian or English.