Matter of trust: 400 companies breached through a legitimate tool

The adversaries compromised at least 400 organizations in Russia and other CIS countries through the legitimate remote administration tool NetSupport

February 19, 2025

In December 2024, BI.ZONE Threat Intelligence detected new activity from the Bloody Wolf. The cluster targeted Russian organizations across a number of industries, including finance, retail, IT, transportation, and logistics. The adversaries used phishing masquerading malicious documents as notices from government agencies and leveraging victim data for more credibility. Opening the attachment triggered the installation of a remote administration tool that enabled Bloody Wolf to steal data of at least 400 organizations.

To make its attacks more efficient, Bloody Wolf switched from the STRRAT malware to the NetSupport remote access tool. As a legitimate solution, NetSupport can stay under the radar of conventional defenses. The adversaries also crafted their malicious emails to look highly convincing, with attachments containing a victim’s legal information. This type of phishing shows up in only 10% of cases as most attackers tend to priotirize quantity over quality.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Bloody Wolf distributed PDF documents disguised as official decisions on liability for tax offenses. Along with phishing links, the attachment included instructions for installing the Java interpreter, which is required for the software to run.

As part of the new campaign, the threat actor employed NetSupport, a remote control, monitoring, support, and learning software. This tool is widely used by corporate and educational institutions. It is less popular among Russian organizations compared to alternatives like AnyDesk or Assistant.

This is not the first Bloody Wolf campaign. In 2023, the attackers targeted organizations in Kazakhstan, sending phishing emails on behalf of regulators. Back then, the cluster employed a MaaS trojan known as STRRAT to remotely execute commands on compromised computers, manage files, etc.

Attacks similar to those by Bloody Wolf are not only critical to detect but also to neutralize before they affect the infrastructure. Endpoint protection solutions such as BI.ZONE EDR enable early detection of attacks and immediate incident response, either automated or manual.

Meanwhile, companies can accelerate incident response and prioritize the most critical threats with threat intelligence portals, such as BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the precision of your security solutions.