Cyber fraudsters attacked organizations in Russia using a remote access tool

Attackers compromised at least 400 organizations in Russia and other CIS countries using the legitimate remote access tool NetSupport. In their attacks, they imitated notifications from government agencies using victims' data in phishing emails, BI.ZONE told Izvestia on February 18.

It is noted that BI.ZONE Threat Intelligence specialists detected a new campaign of the Bloody Wolf group targeting Russian organizations in December 2024. Among the affected industries were the financial sector, retail, IT, transportation and logistics.

"To increase the impact of the attacks, the Bloody Wolf cluster replaced the STRRAT malware (software. - Ed.) with the NetSupport remote access tool. Since this is a legitimate tool, traditional defenses may not detect it. In addition, the attackers made the email quite convincing: the attached file contained legal information about the victim. Such phishing occurs only in 10% of cases: cybercriminals usually rely on mass distribution rather than quality," explained Oleg Skulkin, head of BI.ZONE Threat Intelligence.

Fraudsters distributed PDF documents disguised as decisions on liability for tax offenses. In addition to links to malicious files, the attachment contained instructions for installing the Java interpreter, which is required for the software to work. The attackers used NetSupport - software for remote management, monitoring, support and training.

Being on a styler: password thief viruses masquerading as a DeepSeek neural network

Experts have linked the rise of malicious services to the popularity of Chinese AI software

Earlier, on January 13, it was reported that in Russia, 65% of the analyzed companies have a low level of security. Attacks on them can cause critical damage, lead to the suspension of key business processes and financial losses. This was stated in the results of a study by the information security company Bastion.