Malware News Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT

[Khushal]

Content source

https://securelist.com/stan-ghouls-in-uzbekistan/118738/analysis

This Kaspersky analysis details a new campaign carried out by the Stan Ghouls threat group, which primarily targeted organizations within the industrial manufacturing, IT, and financial sectors across Uzbekistan. The activity also produced secondary impacts in Russia, Kazakhstan, and a few unintended locations.

In total, over 60 entities were affected—an unusually large number for such a highly targeted operation—indicating the group’s substantial operational investment. Despite their scale, Stan Ghouls continue to rely on a familiar toolkit centered around the legitimate NetSupport remote administration tool and their signature custom Java-based loader. Their main updates appear to concern infrastructure, as this campaign introduced two new domains for hosting the malicious loader and another dedicated to distributing NetSupport RAT files.

An unexpected finding was the presence of Mirai-related files on a domain previously linked to the group, hinting that Stan Ghouls may be experimenting with IoT malware, though this remains uncertain.

Kaspersky continues to monitor the group’s activities closely and assures users that its products are capable of defending against the Stan Ghouls campaign throughout all stages of an attack.

Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability

We will highlight the key points and then focus on the initial use of the CVE-2023-23397 vulnerability by attackers before it became public.

securelist.com

 

[Bot]

Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability

We will highlight the key points and then focus on the initial use of the CVE-2023-23397 vulnerability by attackers before it became public.

securelist.com

Your quote matches Kaspersky’s write-up pretty closely, with a couple of useful clarifications from the actual Securelist post.

What Kaspersky actually reports (with concrete dates/numbers)

• Article publication date: 05 Feb 2026. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))
• Victim count: “approximately 50” victims in Uzbekistan, “about 10” in Russia, plus a handful in Kazakhstan, Turkey, Serbia, and Belarus; Kaspersky also notes “over 60 victims” total as unusually high for this kind of targeted campaign. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))
• Initial access: spear-phishing with PDF decoys, written in local language (Uzbek in this campaign), pushing the user to open “case materials” with Java. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/?utm_source=openai))
• Core tooling: a custom Java loader that downloads/installs the legitimate NetSupport remote admin tool (abused as a RAT). ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/?utm_source=openai))

Key technical bits defenders can operationalize

• Persistence methods described include:
  • Startup folder drop: “SoliqUZ_Run.bat” in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • HKCU Run key entry pointing to run.bat
  • A scheduled task created for ONLOGON that runs run.bat via schtasks
  ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))
• NetSupport component filenames are explicitly listed (e.g., client32.exe, client32.ini, NSM.lic, plus multiple DLLs). That makes straightforward file-hunting possible in addition to behavioral detections. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))
• Malicious domains/infra: the IoC section includes multiple domains (examples shown below) that can be used for proxy/DNS blocking and retro-hunting. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))

About the “Mirai-related files” point
Kaspersky’s wording is cautious: Mirai-family binaries were found on infrastructure associated with an earlier Stan Ghouls campaign, but they explicitly say confidence is low and it could also be shared/repurposed infrastructure used by other actors. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))

So it’s best treated as a lead for monitoring rather than proof that the same operator is now actively running IoT botnet operations.

Practical mitigations (enterprise / admin perspective)

• Treat unexpected “court notice / legal document” PDFs with external links as high-risk; enforce attachment detonation and URL rewriting where possible.
• If Java is not required in your environment, remove it and/or restrict execution of javaw.exe/java.exe via application control.
• Block/alert on unauthorized NetSupport usage (allow-list only if your org uses it legitimately).
• Hunt for the persistence patterns above (Startup .bat, HKCU Run entries, suspicious ONLOGON scheduled tasks launching .bat) and for NetSupport artifacts in user-writable paths.
• Add the listed malicious domains to DNS/proxy blocklists and check historical DNS logs for resolution attempts. ([securelist.com](https://securelist.com/stan-ghouls-in-uzbekistan/118738/))

About the embedded X/Twitter post
I couldn’t reliably verify what’s inside the embedded tweet from the ID you posted (X often blocks automated retrieval without a logged-in view). If you paste the tweet text (or a screenshot), it’s possible to sanity-check whether it accurately reflects Kaspersky’s write-up and whether it adds any new technical indicators.

Sources

• Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest
• «Лаборатория Касперского» изучила атаки группы Stan Ghouls на организации в СНГ - CNews

 

[Divergent]

Technical Analysis & Remediation

Threat Track 1 Stan Ghouls (NetSupport RAT)

Vector
Phishing emails with malicious PDF attachments or fake software updates leading to a Java-based loader.

Mechanism
The loader checks for previous infection attempts (limit of 3) to evade sandbox analysis before fetching the RAT.

Persistence
Misuse of legitimate NetSupport Manager connectivity tools (client32.ini) to maintain persistent remote access.

Key Indicator
Fake error messages displayed to victims, e.g., "This application cannot be run in your OS."

MITRE ATT&CK Mapping

T1219 (Remote Access Software)
NetSupport Manager.

T1497 (Virtualization/Sandbox Evasion) Execution limit checks.

T1059.007 (Command and Scripting Interpreter: JavaScript) Malicious loaders.

Threat Track 2: CVE-2023-23397 (Outlook NTLM Leak)

CVE Profile
CVE-2023-23397 (CVSS 9.8).

CISA KEV Status
ACTIVE (Added: 2023-03-14).

Mechanism
Exploits Extended MAPI properties in Outlook. An attacker sends a message/task with a custom reminder sound set to a UNC path (e.g., \\AttackerIP\share).

Impact
When Outlook processes the reminder (even in the background), it attempts to authenticate to the attacker's SMB share, leaking the user's Net-NTLMv2 hash. This allows for offline cracking or NTLM relay attacks.

Live Evidence Extraction (Anchor Protocol)

Stan Ghouls String Literal
"Urinishlar chegarasidan oshildi" (Translation: Attempt limit reached).

Stan Ghouls C2
hgame33[.]com:443.

CVE-2023-23397 UNC Path \\213.32.252[.]221\silence.

CVE-2023-23397 UNC Path
\\5.199.162[.]132\SCW.

CVE-2023-23397 Attacker IP
113.160.234[.]229.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Hunt for CVE-2023-23397
Use the Microsoft script (CVE-2023-23397.ps1) to scan Exchange/Outlook items for UNC paths in the PidLidReminderFileParameter property.

Firewall Block
Immediate block of outbound TCP/445 (SMB) to the internet.

Hunt for Stan Ghouls
Search for client32.ini files in non-standard directories (e.g., %APPDATA%, %TEMP%).

Query process logs for client32.exe execution without approved change management tickets.

Network Isolation
Isolate hosts communicating with hgame33[.]com or the IP 5.199.162[.]132.

Phase 2: Eradication

Patching
Ensure Microsoft Outlook is patched against CVE-2023-23397. This vulnerability bypasses traditional Outlook security zones if unpatched.

Removal
Delete identified malicious Tasks/Emails. Remove unauthorized NetSupport installations and associated registry run keys.

Phase 3: Recovery

Credential Reset
MANDATORY password reset for any user identified with a triggered CVE-2023-23397 IOC, as their NTLM hash is compromised.

Validation
Verify outbound SMB is blocked at the perimeter firewall.

Phase 4: Lessons Learned

Policy Update
Disallow NTLM authentication where possible (move to Kerberos). Implement legitimate remote access software allowlisting (application control).

Remediation - THE HOME USER TRACK

Priority 1: Safety

Update Immediately
Run Windows Update to ensure Microsoft Outlook is patched. This vulnerability requires no user interaction to trigger.

Disconnect
If you suspect infection (e.g., fake error messages), disconnect from the internet immediately.

Priority 2: Identity

Scan for RATs
Use a reputable anti-malware solution to scan for "NetSupport" or "RAT" signatures.

Password Reset
If you use Outlook, change your Windows/Email password immediately, as it may have been intercepted.

Priority 3: Persistence

Check Startup Items
Open Task Manager (Ctrl+Shift+Esc) > Startup apps. Disable and investigate any unknown entries, especially those named "Client32" or referencing random .bat files.

Hardening & References

Baseline
CIS Benchmark for Microsoft Outlook (Disable NTLM authentication for remote servers).

Framework
NIST SP 800-61r2 (Incident Handling Guide).

Tactical
Block outbound SMB (Port 445) at the perimeter firewall. This kills the NTLM exfiltration vector for CVE-2023-23397.

Reference

Original Research (Kaspersky)