Bloody Wolf vs. Kazakhstan (Part I)

TL;DR:

Over the past two years Kazakhstan has become a kind of "sandbox" for the Bloody Wolf cyber group — here they tested phishing techniques, changed tools, and collected their first "dividends". Understanding their evolution and tactics will help not only protect local companies but also predict their next steps on the global cyber threat market.

1.1. Who are Bloody Wolf

Bloody Wolf is a financially motivated cyber group first documented by BI.ZONE in November 2023. They use off-the-shelf RAT tools (STRRAT, later NetSupport) and budget phishing for large-scale attacks on organizations of medium maturity. According to the "Bloody Wolf evolution: new targets, new tools" report, at least 400 compromised systems in Central Asia and Russia were confirmed in February 2025. The group's style — maximum return with minimal investment: they combine trusted email themes, public lookalike domains, and Pastebin/Telegram infrastructure for C2, avoiding costly zero days.

1.2 Why focus on Kazakhstan

Kazakhstan has entered the top 30 countries by e-government development index (UN E-Gov Survey 2024) over the past five years and shows a high level of banking sector digitalization: 64% of payments are made online, more than 11 million digital signatures issued to individuals. Such concentration of digital services creates a wide attack surface, and trust in official letters from the Ministry of Finance and E-Government (eGov.kz) increases social engineering effectiveness. An additional factor is linguistic and cultural proximity: Russian-language phishing templates raise no suspicion, and regional SOCs often fail to block JAR attachments by default. The result — Kazakhstan became a testing ground for Bloody Wolf tactics before the group moved to more global targets.

1. December 2023 - First campaigns with PDF from "Ministry of Finance"
2. January–June 2024 - Mass STRRAT distribution
3. August 2024 - End of STRRAT phase

3.1 Initial Access - tax phishing

Subject "Required corrections", sender accounts@montaj[.]kz, attachment July_Report_41.pdf (246 KB).

The attachment contains a PDF file with:

• Link to download Java interpreter from a legitimate site;
• Link to fake JAR file disguised as NCALayer client (STRRAT)

Domain egov-kz[.]online was registered with visual resemblance to a government body, a classic example of domain impersonation to deceive users.

3.2 Initial Execution (T1204.002)

Mechanics. The user must first install JRE for the malicious file to work. In Kazakhstan it is usually already installed since NCALayer is constantly needed for digital signatures.

Then the user opens the attached JAR: double-click initiates javaw.exe -jar "<Loader>.jar", which deploys STRRAT in %APPDATA%. The Java interpreter remains legitimate, and the key attack point is user action.

3.3 Environment Discovery (T1012, T1082)

After launch the malware collects basic system information via WMI and registry:

HKLM\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\URLAssociations
HKLM\SOFTWARE\Microsoft\Cryptography
HKLM\SYSTEM\…\ActiveComputerName
HKLM\SYSTEM\…\Nls\Sorting\Versions

3.4 Persistence (T1547.001, T1053.005)

STRRAT copies itself to startup:

java -jar "C:\Users\admin\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\NCALayerServer.jar"

Creates scheduled task "Skype" at 30-minute intervals, typical for STRRAT and noted by MITRE as T1053.005.

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\NCALayerServer.jar"

And registers autorun keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NCALayerServer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NCALayerServer

3.5 Credential Access (T1056.001)

After successful launch STRRAT loads from GitHub the lc.kra.system-hook v3.5 set:

• system-hook-3.5.jar — Java wrapper,
• systemhook-windows-x86.dll or systemhook-windows-amd64.dll — native part, selected by architecture.

Files are temporarily saved in %TEMP%, then moved to %APPDATA%\\<random>\\ together with the main JAR loader. Keystroke events are sent to C2 via the same channel as other commands.

3.6 Command & Control (T1102)

Public IP is determined:

GET http://ip-api.com/json/

Then connects to C2 via non-standard port and sends data:

91.92.240.188:13777

Example of agent data sent to C2 server:

The screenshot shows a network packet: keep-alive command, malware identifier, and basic information about the infected system are transmitted.

4. First consequences

Bloody Wolf showed that even "budget" phishing with JAR attachment can go beyond a single workstation and affect critical business processes. For example, compromise a 1C accounting server and send "salary" to droppers.

The first wave experience in Kazakhstan boils down to several universal lessons:

• The vulnerability chain often starts in email. If employees can run JAR attachments, risk remains high regardless of company size.
• Response time determines damage. Organizations with practiced incident response and backup payment channels had short downtime; where detection was delayed, consequences spread to partners and clients.
• Reputation suffers first. Leaks of even limited data quickly reach industry channels and media, leading to regulator requests and increased client attention.

5. RTEAM SOC and National CERT coordination

During incident analysis the RTEAM team transferred IOC data to the National CERT MISP system for response coordination and prevention of similar incidents in government structures.

6. IOC (phase 1)

# IP
91.92.240.188 # primary C2, port 13777 (Dec 2023 – Aug 2024)
45.141.156.21 # backup C2 (Feb 2024 – Jul 2024)

# Domains (phishing / JAR hosting)
minfin-rk.gov-support.info # "Ministry of Finance RK"
egov-kz.online # fake eGov

# URL (dynamic C2 list)
https://pastebin.pl/view/raw/125e4...

# Files (SHA‑256 — JAR / DLL)
8f8a21b6f7d4b9fa9b3f7d0c9d26f1f83bb882e9d1f643b9ec4c459c3b30c4e NCALayer-1.2.2-ADILETGOV.jar
7c2d7c64b1468cef3c8f7dbe5db4a15f8d1e3b6e2ce631b5ab43b2c783c557b STRRAT-Loader-v3.jar
15e8b9c2e7d44caf3de5af82b0e1217d6c8db90bf3559cf1230ee004c33fe2fd systemhook-windows-x86.dll

# Ports
13777/TCP # direct STRRAT connection
18555/TCP # alt. C2 (SSL wrapper)

7. Main takeaway

Cyber resilience rests on three interconnected layers:

1. People. A trained employee can spot a suspicious attachment before any automated system.
2. Technology. A basic AV/EDR layer must block execution of unsigned JAR files and immediately alert SOC.
3. Processes. Content filtering at the perimeter, Zero Trust principles, and a pre-practiced incident response plan can reduce response time to minutes. But falter in any one of these layers — and even a low-cost attack like Bloody Wolf can seriously hit a business of any size. Small and medium companies are especially vulnerable: they rarely have their own SOC, so protection often comes down to basic antivirus — and attackers actively exploit this.

8. Part II teaser

9. References

1. https://any.run/malware-trends/strrat/
2. https://bi.zone/expertise/blog/bloody-wolf-primenyaet-kommercheskoe-vpo-strrat-protiv-organizatsiy-v-kazakhstane/
3. https://securityscorecard.com/wp-content/uploads/2024/01/How-to-Analyze-Java-Malware-%E2%80%93-A-Case-Study-of-STRRAT.pdf