The Reveal Platform
Intel Name: Stan ghouls targeting russia and uzbekistan with netsupport rat
Date of Scan: February 10, 2026
Impact: High
Summary: Executive leaders must understand that the modern threat landscape is no longer defined just by “viruses” but by the strategic misuse of legitimate business tools. A prominent example of this evolution is the recent activity from a threat group known as Stan Ghouls (also tracked as Bloody Wolf). This actor is currently deploying a malware remote access trojan framework by repurposing NetSupport Manager, a decades-old, legitimate remote administration tool, to infiltrate organizations across Russia and Uzbekistan. For a CISO, this represents a significant shift; the threat does not arrive as a suspicious “hacking tool,” but rather as a software package that looks exactly like the tools your own IT department uses to provide support.
The primary objective of Stan Ghouls in this campaign appears to be dual-natured: high-stakes financial gain combined with long-term strategic espionage. Since at least 2023, this group has meticulously targeted the manufacturing, finance, and IT sectors. By using a malware remote access trojan, they gain “eyes and ears” inside a victim’s network. This allows them to monitor sensitive communications, harvest credentials for financial systems, and steal intellectual property without ever triggering the loud alarms typically associated with destructive malware like ransomware.
For a business leader, the impact of a Stan Ghouls intrusion is severe. Because they use a legitimate administration tool, they can bypass many traditional security filters. Once they establish a foothold, they can lock a user’s keyboard, capture screen recordings of confidential meetings, and exfiltrate proprietary data. This isn’t just a technical breach; it is a direct threat to operational integrity and competitive advantage. The longer these actors remain undetected, the more they can map out your internal business processes, making a future, more damaging attack almost inevitable.
To grasp how this malware remote access trojan operates without getting lost in technical details, imagine your office’s physical security. You likely have a front desk and badges to keep unauthorized people out. However, imagine an attacker who doesn’t try to break a window. Instead, they disguise themselves as a technician from a trusted utility company. They carry a legitimate toolkit, wear a convincing uniform, and claim they are there to perform a “mandatory system update” that your staff was already expecting. Because they look and act like a real technician, your employees hold the door open for them.
In the digital world, Stan Ghouls uses spear-phishing emails containing malicious PDF attachments to simulate this “trusted technician” scenario. When an employee clicks a link within the PDF, often under the guise of a government ministry document, it triggers the download of a “loader.” This loader then fetches the NetSupport RAT. Because NetSupport is a real tool used by IT professionals globally, many security systems see its activity as “normal.” The attackers essentially hide in plain sight, using the tool’s built-in features to control the computer remotely, just as your own help desk would.
The only way to catch an adversary using legitimate tools is through threat detection analytics. While traditional antivirus looks for “bad files,” analytics look for “bad behavior.” For example, if a remote support tool like NetSupport suddenly starts running at 2:00 AM on an executive’s laptop and begins exfiltrating large amounts of data to an unfamiliar server, a security analytics platform will flag this as an anomaly. These analytics provide the context needed to distinguish between a legitimate IT session and a state-sponsored intrusion.
Effective cybersecurity risk management requires moving beyond a “castle-and-moat” mentality. CISOs must perform a continuous information security risk assessment that accounts for “Living off the Land” techniques, where attackers use pre-installed system tools to carry out their mission. By understanding which identities have the privilege to run remote administration tools and monitoring those identities for behavioral shifts, organizations can significantly reduce their attack surface and build resilience against groups like Stan Ghouls.
Gurucul provides a robust defense against the Stan Ghouls campaign by focusing on the behavior of the identity and the risk of every action. Since the malware remote access trojan used in these attacks is functionally identical to legitimate software, Gurucul does not just look at the “what”—it looks at the “who,” “where,” and “why.”
Gurucul mitigates this threat through three primary pillars:
To specifically defend against the Stan Ghouls malware remote access trojan, organizations leverage the Gurucul Next-Gen SIEM. This platform goes beyond simple log collection by utilizing over 4,000 pre-trained machine learning models to identify the “Link Chain” of events that signal a targeted attack. By correlating network telemetry with identity behavior, Gurucul provides the radical clarity needed to see through the attacker’s disguise.
In the case of NetSupport RAT, the Gurucul platform identifies the subtle signs of a malicious installation, such as a support tool running from a non-standard directory like “AppData” instead of “Program Files.” By automating the detection of these nuances, Gurucul frees your security analysts to focus on high-fidelity threats, ensuring that state-sponsored actors cannot hide within your own infrastructure.
For a full technical breakdown of this threat, including specific indicators of compromise and mitigation steps, visit the Gurucul Community URL:
