Stan Ghouls Targeting Russia and Uzbekistan With NetSupport RAT

    Tuesday, February 10, 2026 In: Threat Research Print

    Date: 02/10/2026

    Severity: High

    Summary

    Stan Ghouls (also known as Bloody Wolf) is a cybercriminal group active since at least 2023, conducting highly targeted campaigns primarily against manufacturing, finance, and IT organizations across Russia and Central Asia. Recent investigations into a campaign targeting Uzbekistan uncovered around 50 victims, alongside infections in Russia and limited collateral activity elsewhere, revealing infrastructure changes, new domains, the use of NetSupport RAT, and indications that the group is expanding its toolkit to include IoT-focused malware—signaling growing operational scope and sophistication by Stan Ghouls.

    Indicators of Compromise (IOC) List

    URLs/Domains

    mysoliq-uz.com

    my-xb.com

    xarid-uz.com

    ach-uz.com

    soliq-uz.com

    minjust-kg.com

    esf-kg.com

    taxnotice-kg.com

    notice-kg.com

    proauditkg.com

    kgauditcheck.com

    servicedoc-kg.com

    auditnotice-kg.com

    tax-kg.com

    rouming-uz.com

    audit-kg.com

    kyrgyzstanreview.com

    salyk-notofocations.com

    Hash

    B4FF4AA3EBA9409F9F1A5210C95DC5C3

    AF9321DDB4BEF0C3CD1FF3C7C786F0E2

    056B75FE0D230E6FF53AC508E0F93CCB

    DB84FEBFD85F1469C28B4ED70AC6A638

    649C7CACDD545E30D015EDB9FCAB3A0C

    BE0C87A83267F1CE13B3F75C78EAC295

    78CB3ABD00A1975BEBEDA852B2450873

    51703911DC437D4E3910CE7F866C970E

    FA53B0FCEF08F8FF3FFDDFEE7F1F4F1A

    79D0EEAFB30AA2BD4C261A51104F6ACC

    8DA8F0339D17E2466B3D73236D18B835

    299A7E3D6118AD91A9B6D37F94AC685B

    62AFACC37B71D564D75A58FC161900C3

    047A600E3AFBF4286175BADD4D88F131

    ED0CCADA1FE1E13EF78553A48260D932

    C363CD87178FD660C25CDD8D978685F6

    61FF22BA4C3DF7AE4A936FCFDEB020EA

    B51D9EDC1DC8B6200F260589A4300009

    923557554730247D37E782DB3BEA365D

    60C34AD7E1F183A973FB8EE29DC454E8

    0CC80A24841401529EC9C6A845609775

    0CE06C962E07E63D780E5C2777A661FC

    1b740b17e53c4daeed45148bfbee4f14

    3f99fed688c51977b122789a094fec2e

    8b0bbe7dc960f7185c330baa3d9b214c

    95db93454ec1d581311c832122d21b20

    646a680856f837254e6e361857458e17

    8064f7ac9a5aa845ded6a1100a1d5752

    d0cf8946acd3d12df1e8ae4bb34f1a6e

    db796d87acb7d980264fdcf5e94757f0

    e3cb4dafa1fb596e1e34e4b139be1b05

    e0023eb058b0c82585a7340b6ed4cc06

    0bf01810201004dcc484b3396607a483

    4C4FA06BD840405FBEC34FE49D759E8D

    A539A07891A339479C596BABE3060EA6

    b13f7ccbedfb71b0211c14afe0815b36

    f14275f8f420afd0f9a62f3992860d68

    3f41091afd6256701dd70ac20c1c79fe

    5c4a57e2e40049f8e8a6a74aa8085c80

    7e8feb501885eff246d4cb43c468b411

    8aa104e64b00b049264dc1b01412e6d9

    8c63818261735ddff2fe98b3ae23bf7d

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "my-xb.com" or siteurl like "my-xb.com" or url like "my-xb.com" or domainname like "salyk-notofocations.com" or siteurl like "salyk-notofocations.com" or url like "salyk-notofocations.com" or domainname like "notice-kg.com" or siteurl like "notice-kg.com" or url like "notice-kg.com" or domainname like "xarid-uz.com" or siteurl like "xarid-uz.com" or url like "xarid-uz.com" or domainname like "audit-kg.com" or siteurl like "audit-kg.com" or url like "audit-kg.com" or domainname like "proauditkg.com" or siteurl like "proauditkg.com" or url like "proauditkg.com" or domainname like "tax-kg.com" or siteurl like "tax-kg.com" or url like "tax-kg.com" or domainname like "ach-uz.com" or siteurl like "ach-uz.com" or url like "ach-uz.com" or domainname like "kgauditcheck.com" or siteurl like "kgauditcheck.com" or url like "kgauditcheck.com" or domainname like "mysoliq-uz.com" or siteurl like "mysoliq-uz.com" or url like "mysoliq-uz.com" or domainname like "auditnotice-kg.com" or siteurl like "auditnotice-kg.com" or url like "auditnotice-kg.com" or domainname like "servicedoc-kg.com" or siteurl like "servicedoc-kg.com" or url like "servicedoc-kg.com" or domainname like "minjust-kg.com" or siteurl like "minjust-kg.com" or url like "minjust-kg.com" or domainname like "esf-kg.com" or siteurl like "esf-kg.com" or url like "esf-kg.com" or domainname like "kyrgyzstanreview.com" or siteurl like "kyrgyzstanreview.com" or url like "kyrgyzstanreview.com" or domainname like "taxnotice-kg.com" or siteurl like "taxnotice-kg.com" or url like "taxnotice-kg.com" or domainname like "rouming-uz.com" or siteurl like "rouming-uz.com" or url like "rouming-uz.com" or domainname like "soliq-uz.com" or siteurl like "soliq-uz.com" or url like "soliq-uz.com"

    Detection Query 2 :

    md5hash IN ("b13f7ccbedfb71b0211c14afe0815b36","8b0bbe7dc960f7185c330baa3d9b214c","B4FF4AA3EBA9409F9F1A5210C95DC5C3","AF9321DDB4BEF0C3CD1FF3C7C786F0E2","5c4a57e2e40049f8e8a6a74aa8085c80","8c63818261735ddff2fe98b3ae23bf7d","047A600E3AFBF4286175BADD4D88F131","7e8feb501885eff246d4cb43c468b411","0CE06C962E07E63D780E5C2777A661FC","60C34AD7E1F183A973FB8EE29DC454E8","3f99fed688c51977b122789a094fec2e","3f41091afd6256701dd70ac20c1c79fe","8064f7ac9a5aa845ded6a1100a1d5752","8DA8F0339D17E2466B3D73236D18B835","0CC80A24841401529EC9C6A845609775","8aa104e64b00b049264dc1b01412e6d9","A539A07891A339479C596BABE3060EA6","f14275f8f420afd0f9a62f3992860d68","0bf01810201004dcc484b3396607a483","db796d87acb7d980264fdcf5e94757f0","FA53B0FCEF08F8FF3FFDDFEE7F1F4F1A","B51D9EDC1DC8B6200F260589A4300009","95db93454ec1d581311c832122d21b20","646a680856f837254e6e361857458e17","d0cf8946acd3d12df1e8ae4bb34f1a6e","BE0C87A83267F1CE13B3F75C78EAC295","056B75FE0D230E6FF53AC508E0F93CCB","DB84FEBFD85F1469C28B4ED70AC6A638","649C7CACDD545E30D015EDB9FCAB3A0C","78CB3ABD00A1975BEBEDA852B2450873","51703911DC437D4E3910CE7F866C970E","79D0EEAFB30AA2BD4C261A51104F6ACC","299A7E3D6118AD91A9B6D37F94AC685B","62AFACC37B71D564D75A58FC161900C3","ED0CCADA1FE1E13EF78553A48260D932","C363CD87178FD660C25CDD8D978685F6","61FF22BA4C3DF7AE4A936FCFDEB020EA","923557554730247D37E782DB3BEA365D","1b740b17e53c4daeed45148bfbee4f14","e3cb4dafa1fb596e1e34e4b139be1b05","e0023eb058b0c82585a7340b6ed4cc06","4C4FA06BD840405FBEC34FE49D759E8D")

    Reference:

    https://securelist.com/stan-ghouls-in-uzbekistan/118738/


    Tags

    RussiaAsiaNetSupport RATRATMalwareThreat ActorCritical ManufacturingFinancial ServicesInformation Technology

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.