STAN Ghouls targeting Russia and Uzbekistan with NetSupport RAT reports that the group has been conducting targeted attacks since at least 2023, focusing on manufacturing, finance and IT sectors in Russia, Kyrgyzstan, Kazakhstan and Uzbekistan. The latest deep dive identifies roughly 50 victims in Uzbekistan and about 10 in Russia, with a few more in Kazakhstan, Turkey, Serbia and Belarus, though the latter are described as likely collateral.
According to Securelist, the attackers primarily use spear-phishing emails with malicious PDF attachments, and have shifted from STRRAT to misusing NetSupport to maintain control over infected machines, potentially signalling a broader interest in IoT as evidenced by an IoT malware component. The malicious loader downloads the NetSupport RAT and persists via startup scripts, registry autorun and a scheduled task, with a hardcoded list of domain targets and more than 35 domains observed to support campaigns.
IoT utilities are mentioned alongside a set of Mirai files found on a domain linked to a Kyrgyzstan campaign, suggesting Stan Ghouls may be expanding into IoT threats. The operation continues to use two new domains for the loader and one for NetSupport RAT files, and the group is attributed to Stan Ghouls (Bloody Wolf) with a high degree of confidence based on code overlaps and decoy documents.