The cybercriminal group Stan Ghouls, also known as Bloody Wolf, has been actively conducting targeted attacks since at least 2023, primarily focusing on organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan. Their main targets include the manufacturing, finance, and IT sectors. Stan Ghouls employs sophisticated, customized attack campaigns, utilizing a unique toolkit that includes Java-based malware loaders and a dynamic infrastructure. Recently, a campaign targeting Uzbekistan identified approximately 50 victims, with about 10 devices in Russia also affected, and a few others in neighboring countries, likely as collateral damage. The group’s attack vector typically involves spear-phishing emails with malicious PDF attachments, often written in the local language of the target country. Historically, they used the STRRAT remote access Trojan (RAT), but have since shifted to misusing legitimate software like NetSupport for maintaining control over infected systems. Evidence suggests Stan Ghouls may have expanded their arsenal to include IoT-focused malware, with the discovery of Mirai malware files on a domain associated with their previous campaigns. While their primary motive appears to be financial gain due to their focus on financial institutions, cyberespionage cannot be ruled out. The group consistently refreshes its infrastructure, registering new domains for each campaign, and has shown the capacity to manage a significant number of infected devices simultaneously.
Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest
Edward Kiledjian
@ekiledjian