A new report from Kaspersky Labs details a fresh Stan Ghouls campaign targeting organisations in Uzbekistan and Russia, using a “living off the land” approach to control victim machines via the NetSupport RAT rather than custom trojans. According to Kaspersky Labs, the group has compromised over 60 victims in this latest wave by deploying spear-phishing emails written in Uzbek, with decoy PDFs masquerading as court notices or government documents.
One lure, titled E-SUD…ljro_varaqasi.pdf, purportedly from the Judicial Service regarding a case under review and claimed that the case materials could only be opened after installing a Java update, leading victims to a malicious JAR. The loader then downloads NetSupport, establishing persistence through a Startup folder script, a registry Run key entry, and a scheduled task that reactivates on logon.
Researchers note a potential expansion into IoT attacks, with Mirai-related files detected on a related domain, though it remains unclear whether Stan Ghouls is directly wielding the botnet or merely sharing infrastructure.